The logical step towards reducing digital vulnerabilities

Researchers say expanding Australia’s digital identity system could strengthen privacy by reducing vulnerability to cyber breaches, hacks, scams and identity fraud.

Professor Jeannie Paterson, director of the Centre for Artificial Intelligence and Digital Ethics at Melbourne Law School, says “digital identity schemes that are properly set up and accredited may be far more privacy-enhancing than what we are using at the moment”.

Currently, she says “people have traces of information in all sorts of places, they’ve got it with their phone company, their bank, the person they rent from, their gym, their employer”.

All that personal information scattered across society along with the rise of artificial intelligence technologies like deepfakes, leaves people increasingly vulnerable to identity theft and having their data hacked, Paterson says.

The federal government’s Digital ID Bill proposes to strengthen and expand Australia’s digital identity system, initially for use by government and eventually by private sector organisations. The NSW government is pursuing its own digital identity scheme for accessing government and non-government services.

Paterson says many people are already using a form of privately provided digital identity to access commercial products and services.

“If you have Facebook, if you use Google, if you use Apple, when you’re trying to access an online store or an online commercial service, you’ll often be asked ‘Do you want to use your Apple ID, your Facebook identity or your Google identity?’ That’s a form of digital identity,” she says.

In some higher-stakes interactions such as renting a property, opening a bank account or accessing government services, people are even being asked to share key identifying documents such as passports, birth certificates and driver’s licences.

While new technologies carry privacy risks, Paterson says a carefully designed digital identity system has the potential to make Australians more secure by enabling them to verify their identity in person or online without sharing sensitive information.

That has policy benefits for government too, she says. “The government doesn’t want to be dealing with endless cyber breaches and cyber hacks. In that sense, it’s conducive to a digital economy.”

The framework proposed by the government isn’t compulsory, she says. It includes accreditation of verification providers, training, oversight measures and privacy protections. Unlike schemes in Estonia, Singapore and India, the Australian government won’t be the digital identity provider.

Chandni Gupta, deputy CEO and digital policy director at the Consumer Policy Research Centre, says the centre’s research indicates people are uncomfortable with the level of personal information they are being asked to share in online interactions. They are increasingly looking to government to play a key role in protecting their privacy.

“We found that 64% of Australians find it unfair that businesses require you to supply more personal information than what is actually necessary to deliver that product or service,” she says.

“There’s a real discomfort with your personal information being used in ways that was never agreed to.”

Samantha Floreani is head of policy for Digital Rights Watch, a not-for-profit organisation that advocates for the public’s right to privacy and security online.

“Historically, a significant proportion of Australians have reacted negatively to proposals for digital identification or centralised identity-related systems, including the rejection of the Australia Card and the high opt-out rate of the MyHealthRecord scheme,” she says.

The landscape is now shifting, Floreani says. Current proposals to expand Australia’s digital identity scheme may be viewed differently in light of large-scale data breaches affecting Optus, Medibank and Latitude.

“Now the notion of a digital identity system that enables government bodies and companies to verify people’s identity without each collecting and storing identity documents has become more appealing to many, who are rightly concerned about the privacy, security and safety risks that come with lots of entities handling their personal information.”

While there are potential benefits from digital identity systems, there are also privacy, security and accessibility risks.

Floreani says digital ID systems should be decentralised, accessible, inclusive and genuinely voluntary with practical non-digital alternatives available, with robust privacy and digital security protections built in.

A digital identity system must “never be repurposed for surveillance or law enforcement purposes”, she says. There need to be meaningful accountability, oversight, audit and review mechanisms as well as pathways for redress if harm or misuse occurs.

Paterson says ensuring the scheme “protects rather than erodes privacy”, will require strong cryptography, privacy safeguards and oversight.

To be fair and equitable, she says any scheme needs to make allowance for people who are unable or prefer not to use online services. This includes those without access to secure phone and internet services, and people without identity documents – a particular issue for First Nations people.

The design should be “autonomy enhancing”, giving users control over when and how they interact with the system, she says.

In the context of digital identity and privacy act reforms, Paterson suggests the government audit all laws requiring the collection of personal information to see “whether that’s still fit for purpose”.

One issue that will need to be resolved is the extent to which biometric information is used.

Paterson says most digital ID schemes offer an option to verify identity using biometric identification, like a face print. However, some people may feel uncomfortable about their identity being tied to biological markers rather than a document-based system.

The NSW system uses a form of facial verification technology. Researchers at the Human Technology Institute at the University of Technology Sydney have flagged risks including algorithmic bias, errors and identity fraud with the use of biometric and facial verification, outlining policy principles and protections for digital identity.

The Mandarin is an essential resource for anyone interested in Australia’s public sector, with daily news, commentary, analysis and expert advice.

The Mandarin acknowledges the Traditional Owners of the many nations across Australia, and pay our respect to Elders past and present. We recognise that their sovereignty has never been ceded.