Getting Australia’s digital Trust Exchange right
18 Nov 2024|

To realise the potential of the Digital ID Act and the recently unveiled Trust Exchange (TEx), the government must move past political soundbites and develop a comprehensive identity and credentials strategy that includes building technical architecture and conducting an end-to-end security assessment.

The government is yet to publish the rules and standards in relation to the Digital ID Act, which was finally passed May. We’re also still waiting to hear details of TEx, a world-leading digital identity verification system, which Government Services Minister Bill Shorten unveiled in August.

The Digital ID Act was the government’s response to the 2022 data breaches at Optus and Medibank, which prompted a fundamental reassessment of what sensitive data should be collected and how long it should be stored. Businesses should still conduct checks on customers—for example, to prevent money-laundering or alcohol sales to minors—but a better solution is needed than simply storing digitised copies of paper identification documents.

A digital ID scheme had been proposed for many years in different guises, but the 2022 breaches finally led to a new draft legislation in September 2023, kicking off the process that led to the Digital ID Act.

This Act is a major step in the right direction. It provides a legislated basis for a federated trust system and avoids creating a unique identifier for every citizen or a centralised ‘honeypot’ of data about people and their transactions. The accreditation rules include strong privacy and security safeguards to build trust in the system and put individuals in control of what personal data is disclosed to whom and when. However, as I outline in a recent ASPI report, there are several policy issues which, if left unresolved, could jeopardise successful deployment and adoption of the digital ID system.

Based on the limited details released so far, TEx could be on the verge of repeating many of the same missteps.

TEx appears to be a system that securely shares specific identity attributes for in-person interactions through a digital identity app on a handheld device. One example is proof-of-age checks at licenced premises: in lieu of physical documentation that shows the customer’s date of birth, the app simply verifies whether they are over or under 18. This would prevent data breaches such as the Clubs NSW incident, in which hackers stole data from patrons’ drivers licences that had been routinely scanned and stored.

But the sparse details about TEx are contradictory and ambiguous, causing some to be sceptical of the scheme. Shorten has suggested that it will ‘build upon digital ID infrastructure’, using the existing identity exchange operated by Services Australia and the myGov app, supported by some sort of record of each identity verification transaction. But this contradicts accreditation rules for the identity exchange, which specifically prohibit it from keeping logs of user activity.

This sort of ambiguity leads some to assume the worst, such as Electronic Frontiers Australia who claim the system will create the ‘mother of all honeypots’ and enable centralised surveillance. It doesn’t help that a recent Ombudsman report suggested that the myGov app currently falls well short of expectations on security and fraud prevention.

The government is also setting unrealistic expectations about the benefits of TEx, with Shorten suggesting that it will achieve ‘some of the best aspects of the GDPR’. The introduction of GDPR—the European Union’s data privacy and security law—had a dramatic effect on companies’ security and privacy practices because it was backed by massive penalties for non-compliance and encompassed all aspects of data collection, storage and usage. In contrast, Australia’s TEx, a voluntary system that might allow some organisations to opt out of collecting some personal data, is never going to have the same level of impact.

The incentives for companies to opt-in are unclear. Big names such as CBA and Seek have apparently offered ‘in-principle’ support, but this may change when they hear more details, particularly about costs.

It is also unclear how these different IT systems, owned and operated by different departments, will fit together to provide end-to-end service, security and privacy. TEx will be built by Services Australia, ‘on top of’ Digital ID infrastructure set up by the Department of Finance. Meanwhile the Attorney-General’s Department is developing a mobile app that alerts users whenever their identity credentials are used.

To execute these systems successfully, the government must develop an overarching identity and credentials strategy across the Commonwealth and the states and territories. This should include technical architecture, based on sound system engineering principles, that outlines how the different systems will work together. There should also be an end-to-end security assessment to ensure data confidentiality and resilience in the system. To achieve this, the government must break down departmental silos and build public support through transparent information and debate.

These new digital ID systems have the potential to increase privacy standards, reduce data breaches and improve the public’s experience of government service delivery—but only if it is properly executed. This opportunity is too big to squander.