The future of digital identity in Australia
17 Nov 2022|

It seems that hardly a day goes by without news of another Australian organisation being hit by a data breach. While the underlying causes and the actions we need to take to prevent them are many and varied, one question to ask is whether all these organisations need to collect and store all this data.

In the case that started the recent tsunami of breaches, Optus, the company was obliged by legislation to verify the identity of its customers. Certainly, verification is important in preventing and detecting other crimes that might be perpetrated using telecommunications networks, but what if there was a way of doing this without every new customer needing to hand over details of their identity documents, which then have to be verified and stored for audit purposes?

Digital identity systems provide exactly such a solution. A digital identity system enables individuals to prove their verified identity (and potentially other personal details) online. Properly designed, it provides people with the ability to control exactly what is shared with whom, and ensures that only the minimum necessary data is shared.

To its credit, the Albanese government appears to have realised this and plans to revive the proposed ‘Digital Identity System’, which has largely lain dormant since the previous government published draft legislation at the tail end of last year. The concept of digital identity has been around for many years; the first iteration of the government’s ‘Trusted Digital Identity Framework’ was drafted in 2015. Budget data shows that more than $600 million has been spent since then on the nascent system, yet most people’s interactions with it occur at most once a year, when filing their tax returns. To be an effective tool to facilitate and secure digital transactions, a digital identity system needs to be something that a large number of people use regularly.

Our latest research at ASPI has shown that there are several barriers that are making state governments, businesses and customers reluctant to join the government’s proposed system. If it doesn’t achieve a critical mass of participants to make it worthwhile for people to engage with it, it will fail. As the federal government moves forward with proposed legislation, it will need to address these barriers in order to build confidence and drive take-up.

Obviously, given recent events, security is a major concern. To supplement the current framework for accrediting organisations using the system, a transparent process needs to be established to allow researchers to report vulnerabilities and for them to be addressed. We also need well-resourced monitoring systems that can quickly detect any illegitimate activity, and robust processes to fix any incidents of stolen identity so that the impact on the people affected is minimised.

Any digital identity system will build on our existing underlying identity systems. The fallout from the Optus data breach has shown some of the limitations of the current patchwork of systems across states and federal government departments. We need common standards and safeguards; otherwise, criminals will find and exploit systemic weaknesses.

Another equally important factor is privacy. Recent cyber breaches have raised public awareness of the data that companies collect and hold. To gain acceptance, we need to ensure that a digital identity system doesn’t have the unwelcome side effect of further enabling the rise of ‘surveillance capitalism’. We need to avoid a dystopian future where the profiles already built up by Facebook and others are linked to verified personal details, which would make them even more valuable and increase the incentives for intrusiveness. This will require a combination of regulations that govern how data can be used and technical measures that limit the personal data shared with organisations.

Sometimes, the requirements for security and privacy need to be balanced. For example, the system is designed to allow individuals to set up multiple identities. This is intended to preserve privacy—for example, allowing someone to separate their business and personal transactions. However, it raises an obvious question about how to build effective safeguards to detect fraudulent duplication of identities.

Governance arrangements will also need to be addressed. If the federal government effectively owns the system and has decision-making powers over detailed technical standards, this is unlikely to give the states and territories, or commercial organisations, the confidence to make long-term commitments to the system. If all players decide that the only way to have control over the systems is to build their own, such fragmentation would probably be fatal.

A better idea would be to hand over ownership and control of the system to an independent entity governed by representatives from all stakeholders, with the federal government’s role limited to setting the regulatory environment. Examples such as the bank payment system provide a potential model.

Finally, Australia doesn’t operate in a digital vacuum. When developing digital identity systems, we should aim to align as much as possible with international partners. This will not only encourage participation by multinational companies—which will be reluctant to develop bespoke systems for each country—but also could unlock additional benefits in facilitating digital trade.

Digital identity systems offer opportunities to reduce the cyber risks posed by the sharing of personal identity information, and to unlock economic benefits by building trust and reducing friction in the digital economy. The estimated annual microeconomic benefits are $11 billion, which could finally justify the significant costs to date.

However, to be successful, the system needs to reach a critical mass of organisations and users and become part of everyday digital life. The government has an opportunity to reset the approach and focus on the issues that could impede take-up, engaging with stakeholders and making them part of the journey. The time to do this is now.