Report No. 66/2022
What’s the problem?
Digital identity was a key part of the Australian Government’s Digital Economy Strategy: a further $161 million was committed in the 2021 mid-year budget update, bringing total investment since 2015 to more than $600 million. Over that period, the government has developed the Trusted Digital Identity Framework, established the Digital Identity System and, in late 2021, published draft legislation to govern and regulate the system. Although there’s been little apparent progress in the past 10 months, if the potential microeconomic benefits (estimated at $11 billion in the previous government’s Digital Economy Strategy) aren’t sufficient incentive, the September 2022 data breach at Optus, and the subsequent run of data breaches on companies in October should supply new impetus. This is because digital identity offers an opportunity to allow organisations to reliably validate customer identities without collecting the sort of sensitive personal information that Optus held, the loss of which has exposed more than 10 million Australians to the risk of identity theft.
Without intervention, the current scheme is on a trajectory to fail. If the government wants to revive the Digital Identity System, it will need to attract state and territory governments and commercial organisations to participate in the system as well as getting the public to sign up—aiming for a critical mass of users to create a ‘network effect’.
However, to build the trust and confidence required to achieve that outcome, the government needs to address three key areas of concern. First, governance arrangements currently give the federal government final decision-making authority on future changes to the rules of the system. Second, there are potential cybersecurity and identity-fraud risks due to gaps in the currently proposed arrangements; although the Optus data breach should help to demonstrate the need for such a system, it means that users will require reassurance of the security of any new system before they’re willing to participate in it. Third, there’s a need for better privacy protections to avoid a situation in which commercial relying parties use the Digital Identity System to build even more valuable profiles of citizens.
What’s the solution?
The Australian Government should recognise that, although its Digital Identity System is only one of many possible digital identity systems in Australia, it could become the dominant system due to network effects, spanning both the government and the private sectors. The current proposals give final decision-making authority, including over detailed technical specifications, to the relevant government minister. This report instead recommends a formal independent oversight authority governed by a board that includes representatives from all groups—the federal government, civil society, the states and territories and the private sector. The oversight authority should also create a formal public reporting mechanism for potential vulnerabilities, and transparency on how such reports have been assessed and acted on, to improve the actual and perceived security of the system.
Security measures should be mandated, the oversight authority should be funded to put in place key controls, and the Digital Transformation Agency (DTA) should work with the Department of Home Affairs to secure some of the vulnerabilities in existing non-digital identity systems upon which the digital systems will rely. Other recommended safeguards include centralised security monitoring and robust management of multiple identity risks.
Finally, privacy will be the key to public acceptance of the system, and a stronger regime is needed to ensure true informed consent to the use of digital identity data by commercial relying parties when building up and monetising profiles of their customers.
Digital identity was a key part of the previous government’s 2021 Digital Economy Strategy,1 including strengthening and modernising systems to build trust and combat identity fraud. This was expected to unlock $11 billion annually in economic benefits by reducing costs and improving the experience of citizens using digital services.2
A person or entity can establish a digital identity that can be verified and trusted by other organisations that they deal with, so that they know whom they’re transacting with and their key relevant attributes. A digital identity ecosystem provides the infrastructure of interconnection between those parties and the mechanisms for trust and verification.
In October 2021, the federal government published an exposure draft of legislation that builds on earlier work of establishing the Trusted Digital Identity Framework (TDIF)—a standard that, in theory, anyone could implement.3 The government has used this to create its own TDIF-compliant digital identity system, referred to as the ‘Digital Identity System’ in the proposed legislation. The legislation is intended to replace current interim measures for the governance of the TDIF and the Digital Identity System. It seeks to address some of the current gaps in regulation with the aim of encouraging more participation of state and territory services and private-sector service providers.4
I begin this paper with a brief overview of the TDIF, the Digital Identity System and the proposed legislation. I then discuss the key issues in developing digital identity in Australia and conclude by providing policy recommendations for consideration.
The Trusted Digital Identity Framework
In 2014, the Financial System Inquiry recommended:
Government should, in consultation with the private sector, develop a national identity strategy based on a federated-style model in which public and private sector identity service providers would compete to supply trusted digital identities to individuals.5
Following the inquiry, the government started the development of the TDIF in 2015. The framework has gone through a number of iterations incorporating lessons learned and advances in technology.
The TDIF defines the following roles in a digital identity ecosystem:
- Identity service provider: manages and verifies identity information for individuals, working with:
- attribute verification services to confirm an identity
- credential service providers to authenticate a user as authorised to use a digital identity
- Attribute provider: providing additional user attributes from other organisations (for example, driver’s licence entitlements)
- Relying party: receives trusted information from identity and attribute service providers, which is used for digital transactions
- Identity exchange: a central component to mediate transactions between the other providers in order to implement:
- easier onboarding and interconnection (each party needs to connect to only one central exchange)
- a ‘double blind’ model, in which all parties (other than the exchange) aren’t aware of one another’s actions
- conversion between multiple technology protocols that may be used by different parties.
Figure 1 shows the interrelationships between these roles, but it isn’t necessarily a closed system. There could be multiple TDIF-compliant digital identity systems, potentially interconnecting with each other, interoperable with other frameworks, or both.
Figure 1: TDIF ecosystem interactions and roles
Source: Reproduced from the Digital Identity, 06A Federation Onboarding Guidance paper, Australian Government, March 2022, online.
To become TDIF-compliant, all roles listed above, other than relying parties, require formal accreditation, which is currently carried out by the DTA. As of October 2022, the only TDIF-accredited services were Services Australia, Mastercard and eftpos identity exchanges; the Australian Taxation Office (ATO), Australia Post, Mastercard and OCR Labs as identity service providers (and all except for OCR Labs also as credential service providers); and the ATO and Services Australia as attribute providers.6
Biometrics is the measurement and statistical analysis of people’s unique physical or behavioural characteristics (for example, fingerprints, iris patterns and facial recognition). Biometrics can be used for one-to-one matching (that is, confirming an individual matches the person they claim to be) and for one-to-many matching (that is, working out who an individual is by comparing them to a large potential set of samples from many different people). Biometric data is highly sensitive and subject to specific safeguards.
The TDIF allows one-to-one matching for:
- Initial establishment of digital identity: Biometric verification is mandated for the highest levels of identity proofing (for example, comparing a sample photo of someone taken on their phone, using security measures to ensure that they’re physically present, against their verified passport photograph, following which the sample photo is destroyed).
- Confirmation that the person is the authorised user of a digital identity. For example, a mobile app can use fingerprint or facial recognition; in this case, the biometric sample is checked only against data stored on the user’s device and not shared with any other parties.
The TDIF explicitly prohibits the use of one-to-many matching for digital identity purposes, and the proposed legislation would have enshrined that in law had it been passed. This is because the use of biometrics such as facial recognition to identify individuals raises privacy and civil liberty concerns that could undermine public acceptance of the system. Separate legislation to regulate broader use of such biometric services is still pending in Australia. The Identity-Matching Services Bill was referred by federal parliament to the Parliamentary Joint Committee on Intelligence and Security for review, and since the federal election the new government hasn’t yet indicated how it plans to respond to the committee’s findings.7
The Digital Identity System
The Digital Identity System is the Australian Government’s implementation of its proposed digital identity ecosystem, to which TDIF-compliant services can be ‘onboarded’ (following accreditation where required). At January 2022, the only onboarded services were the myGovID identity service, the ATO relationship manager and the Services Australia identity exchange, although the DTA has stated that other providers are at various stages in the onboarding process. The other accredited providers have their own standalone systems and services running, but those aren’t currently an integrated part of the official Digital Identity System.
Currently, administration and oversight of the Digital Identity System is the responsibility of an Interim Oversight Authority (IOA). Services Australia performs the operational functions, such as incident management, change and release management and coordination, fraud prevention and cybersecurity incident management; the DTA handles policy, accreditation and service onboarding and leads architectural system design and standards. All onboarded parties must sign up to a system governance agreement, which covers legal, technical, cybersecurity, reporting and other requirements; all existing onboarded parties that are TDIF-accredited must also approve any new parties before the new parties can be onboarded. These interim arrangements are planned to be superseded by new legislation, as discussed in the next section.
The digital identity legislation proposed by the previous government, the Trusted Digital Identity Bill, would have put in place permanent governance arrangements and regulations, creating an Oversight Authority as a government-funded and -appointed independent statutory body. This would replace the Interim Oversight Authority and take over as the TDIF accreditation authority; the existing Information Commissioner would have been harnessed to regulate privacy aspects.
The legislation would have covered those organisations that choose to participate by being accredited under the TDIF and/or joining the Digital Identity System, which must comply with various privacy and consumer safeguards. There would also be interoperability provisions, ensuring that all onboarded participants in the Digital Identity System interact equally with all other participants unless they have a specific exemption. It would seek to ensure that customers of service providers that join the Digital Identity System have a choice about whether to participate. Service providers providing essential or monopolistic services would be obligated to provide an alternative channel for access to their services, although that may still be a digital channel.
The proposed Bill would be the top level of different levels of regulations, supplemented by TDIF accreditation rules and Trusted Digital Identity rules, which are legally binding instruments that can be changed by the minister but must be tabled in, and can be disallowed by, parliament. Detailed technical requirements would have been covered by technical standards that are issued by the Oversight Authority. Figure 2 shows this overall structure of the legislation.
Figure 2: Structure of digital identity legislation, rules and regulations
Source: Reproduced (licensed under the CC BY 4.0) from the Digital Transformation Agency, Digital identity legislation position paper, Australian Government, no date, online, which also provides more details on the structure of the various components.
Issues to consider
Generating a ‘network effect’
Generating a greater network effect will be important for the success of the Digital Identity System. The more organisations accept a digital identity, the more likely it is that people will want to set up such an identity; and, as more people sign up to a system, organisations will be more willing to invest in joining that system to access the user base.
Currently, take-up of the TDIF and Digital Identity System by organisations has been slow, which means the number of individuals using it regularly is very small. This may be linked to perceived complexity (almost 800 requirements across the TDIF document set), the costs of accreditation, and the time taken for accreditation (which is typically 12 months or more). Given the pace at which technology changes, this can mean that approaches are out of date by the time they’re accredited.
Governance and ownership
The proposed legislation related only to the TDIF and the Digital Identity System, which is just one of potentially multiple (potentially overlapping) digital identity systems. This means the Digital Identity System8 will occupy a privileged position in this landscape, as the only system with statutory provisions to protect participants and users; and the network effect means that it could outcompete other ecosystems (for example, the Australian Payments Council has been working on its own TrustID framework).
This would mean that the dominant system will be effectively owned by the federal government, with broad ministerial powers to change regulations, although mostly (but not all) subject to consultation and in some cases a parliamentary disallowance process. This may be a concern for states such as NSW, Victoria and Queensland, which have their own digital identity programs, as well as for commercial organisations. A better alternative could be the Canadian approach of setting up the framework as a non-profit entity with members from government, service providers and technology providers. In theory, if organisations are unhappy with future changes made by the government they could choose to leave the system, but again network effects might not make that feasible.
It should also be noted that the Trusted Identity Bill is one of many potentially relevant pieces of legislation. For example, it’s possible that digital identity systems could qualify as ‘critical infrastructure’, subject to the enhanced cybersecurity obligations under the recently passed amendments to the Security of Critical Infrastructure Act; also, service providers could potentially be considered ‘designated communications providers’ under Part 15 of the Telecommunications Act 1997.
Identity policy in Australia has always been haunted by the ‘Australia Card fail’,9 and ensuring the privacy of users will always be vital to public acceptance of any policy. Digital identity, done correctly, can improve privacy, as users can choose exactly what information to share with relying parties. For example, instead of showing your complete driving licence details in order to purchase alcohol, the retailer instead just sees a verification that you are over 18 from a trusted provider who has verified your identity and relevant details.
The TDIF includes several requirements to safeguard privacy, and multiple privacy impact assessments have been conducted and published along with the DTA’s responses. The TDIF will also compel organisations to opt in to coverage by the Privacy Act 1988 if they’re currently exempt. All participants must also carry out regular privacy impact assessments, although there’s no obligation for those to be published.
The TDIF concept of the identity exchange can further improve privacy by shielding the identity of different service providers from one another, thus limiting the ability to collect and aggregate user activity across multiple service providers. Although the operation of such a ‘double blind’ isn’t mandated by the TDIF requirements, the proposed legislation is expected to mandate this for the Services Australia identity exchange.
The proposed regulations will restrict identity service providers’ use of data profiling and userbehaviour analysis for unrelated marketing purposes and will prohibit speculative profiling for investigatory purposes. There are, however, no proposed restrictions on commercial relying parties, which could effectively set up parallel identities with detailed profiles of customers using the data they obtain from participation in the Digital Identity System. By harnessing the scheme, the profiles could be bound to verified real people, and could be sold to aggregators to build up detailed records of people’s activity. In that case, we would need to rely on existing legislation such as the Australian Privacy Principles to protect against such risks. Such legislation currently protects information ‘about’ an individual who’s ‘identified or reasonably identifiable’; however, it should be updated to distinguish between an identified person and a person whose identity is confirmed by a digital ID.
Risks of identity theft and fraud
Digital identity should raise the barrier to the establishment of fraudulent identities, but it also increases the potential impact of successful identity theft—once established, a fraudulent identity could potentially be reused many times without further challenge (at least until the real owner becomes aware of the identity theft and invokes the relevant processes). Identity service providers have no obligation to ever revalidate the identities they manage (except in some very specific limited circumstances), although they must inform relying parties of how recently an identity was verified, and the relying parties might decide whether further checks are needed.
The TDIF identity-proofing requirements are based on the long-established National identity proofing guidelines, adapted to a digital identity context.10 Under the guidelines, relying parties check the documents of users and in some cases can make their own risk judgements about what to accept. Under the TDIF, instead of that, those judgements are made by the identity service providers. Relying parties won’t be aware of any exceptions granted;11 in addition, interoperability rules mean that they can’t differentiate in the trust placed in different identity service providers. Also, digital identity-proofing schemes are only as secure as the existing paper-based identity document systems they rely upon, about which there are a number of concerns (for example, state jurisdiction requirements on name changes vary widely).
The Digital Identity System will allow people to create multiple identities, for privacy and the convenience of end users, but that increases fraud risk. Some countries haven’t permitted multiple identities, but others, such as the UK, that, like Australia, have a cultural resistance to a centralised ID system, also permit it. The TDIF does include a limited mechanism of passing a cryptographic ‘hash’12 of document identifiers to relying parties, which they could use to identify duplicate identities. However, a sophisticated criminal could easily work around that; also, this mechanism is alleged to have its own security vulnerabilities.13 Relying parties can apply to the Oversight Authority for direct access to identification document attributes, but need to present a strong rationale for doing so, and it’s expected that this will apply only to the highest risk use cases. Although one-to-many biometric match searches could be used to de-duplicate identities, they’re specifically prohibited by the legislation. They would be allowed only by law-enforcement agencies in response to suspected cases of fraud, with appropriate authorisations, rather than for the proactive identification of cases.14
Ensuring the cybersecurity of the Digital Identity System is a multifaceted task, as shown in Figure 3. The TDIF mandates a number of technical security controls, as well as restrictions on data stored by participants to reduce data loss risks.
The Oversight Authority will be responsible for operational security and the availability of the system. Individual service providers are responsible for monitoring their own systems, based on recommendations provided by the authority. There’s no central monitoring, or provisions for monitoring of the networks that interconnect providers, but service providers must report incidents within 24 hours to the authority, which will coordinate investigations and, if required, mandate actions by the relevant participants in the Digital Identity System.
Figure 3: Security responsibilities of the accreditation and oversight authorities
Source: Based on NIST Cybersecurity Framework, online.
The TDIF’s identity exchange has privacy benefits but is a security risk, as it sees all transactions; as the ‘double blind’ prevents end-to-end encryption, this data is unencrypted at the exchange. The TDIF requirements mandate that the exchange must not log any user-attribute data in the logs produced; however, securing the exchange against insider and external threats will be vital. It has also been suggested that the double-blind model could introduce other vulnerabilities,15 such as a user being spoofed by one relying party into consenting to access by another relying party.
The federal government has committed significant funding for the establishment of the Digital Identity System. A further $160 million was announced in the 2021 Mid-year economic and fiscal outlook,16 bringing the total committed to date to over $600 million. However, the government has made it clear that in the long term it expects the system to be financially self-sustaining. The DTA is still considering charging models and hasn’t published any proposed approaches for public consultation. The approach will need to consider who ends up paying these costs and clearly identify where companies may seek to recoup costs by collecting and monetising data. Australia should also learn from the UK experience—out of an initial seven identity service providers, only two remained after a couple of years, causing inconvenience for users and a shortfall in overall revenues.
Potential knock-on effects on verification providers should also be considered. For example, the document verification service currently receives a fee each time a relying party verifies a customer identity. In the Digital Identity System, the identity service provider could potentially pay the document verification service once to verify identity and then potentially receive a fee from the relying party each time it’s used. This also applies to the planned future face-matching service.
Conclusion and recommendations
Digital identity systems provide an opportunity to unlock economic benefits by simplifying and securing user interactions with government and private-sector digital services. However, to realise those benefits, this report makes eight recommendations to balance convenience, privacy and security considerations:
- In order to encourage broader acceptance and take-up, governance arrangements should be modified, moving away from ministerial control by establishing the Oversight Authority and ownership of the Digital Identity System as fully independent from government (for example, making the Oversight Authority accountable to a board that includes the states and territories and private-sector and civil-society representatives).
- The Oversight Authority should create a formal public reporting mechanism for potential vulnerabilities, and transparency on how those reports have been assessed and acted on, to improve the real and perceived security of the system.
- The DTA should work together with the Department of Home Affairs to put in place funding of projects to address known vulnerabilities in the existing identity document systems (for example, tracking name changes across states to identify duplicate identities being fraudulently created).17
- The DTA should investigate potential mechanisms to identify where potential duplicate identities have been created; as a minimum, include a mechanism to warn individuals so that they can mitigate identity-theft risks, subject to appropriate privacy safeguards.
- The DTA should recommend or mandate enhanced security to be implemented by operators of identity exchanges, including in relation to protective security and insider threats; this should also include investigating potential approaches that could enable end-to-end encryption to avoid sensitive data being unencrypted at the exchange.
- The DTA should mandate and appropriately fund the Oversight Authority to conduct centralised monitoring of the system, including network monitoring using advanced analytics, to detect potential fraud and security issues.
- The DTA should include in legislation stronger protections against the exploitation and aggregation of data collected by relying parties from identity service providers.
- The DTA should ensure that appropriate steps are taken to maximise international alignment and future international interoperability of the systems, to reduce costs for multinational companies and facilitate smoother international digital trade.
17 Nov 2022