The Digital ID Is Coming, But Questions Remain as to Its Future Applications
The legislated whole-of-economy Australian Government Digital ID System (AGDIS) is coming to a brave new 21st century digital world near you, and as usual, privacy advocates are up in arms about what it could mean, while government players dispute that any fears are warranted.
The AGDIS has been operating on a small but growing scale, since the Coalition rolled it out in 2015. And the unlegislated scheme has so far allowed individuals and businesses with registered digitalised identities to connect with government departments securely online.
First released as a draft last August, the Digital ID Bill 2024 and its accompanying Digital ID (Transitional and Consequential Provisions) Bill 2023 were rushed through the Senate last week, with the Coalition opposition voting against the laws, despite the Liberals having initiated the proposal.
And continuing to cast dark shadows over the scheme are Liberal Party figures like current leader Peter Dutton and former attorney general George Brandis, who commenced pushing for an online-based form of mass surveillance mid-last decade, which the AGDIS at least achieves in skeletal form.
At present, the ID scheme is based around the myGovID, but the bill facilities other digital ID providers to also be operating and offering users with a choice.
And while the scheme is to be opt-in, privacy experts have warned that once in operation, it will likely be made mandatory somewhere down the track.
Consent funnelling into all-pervasive
“This Digital ID Bill will put in place the legislative framework to create an economywide digital ID system in Australia,” said finance minister Katy Gallagher, as she’s been overseeing the development of the system, with some input from the ever-prying eyes of Home Affairs.
“Digital ID is a secure, convenient and voluntary way to verify who you are online against existing government-held identity documents without having to hand over any physical information,” she added during her 30 November 2023 second reading speech on the bill.
“Digital ID is not a card, it’s not a unique number, nor a new form of ID.”
The new laws appeared last August, following the release of federal Labor’s National Strategy for Identity Resilience the month prior. And it was developed via the Data and Digital Ministers Meeting, which is comprised of federal, state and territory ministers dealing with these portfolios.
The minister cited 2022 data breaches involving Optus and Medibank, as providing urgency to the laws, as they’ll “help to address this” issue.
Yet, she also notes that those in office will be able to exempt some government services from alternative providers, so as to require myGovID for access.
And an 18 August 2023 email that Sydney Criminal Lawyers received from the Department of Finance Media Team outlines that the biometric option of verifying one’s identity is only for users who consent.
However, just as the myGovID will be mandatory in part, consent doesn’t mean images of people’s faces won’t be caught up in the scheme.
Facilitating online exchange
The bills have already been through parliamentary committee reviews, so it’s likely the laws, which swam through the Senate, will receive the same fate in the lower house. And with the racist pollies from One Nation being the only vocal opponents to the laws, it’s likely not much will change.
The new laws establish the Australian Competition and Consumer Commission (ACCC) as the new Digital ID Regulator, which will deal will monitoring and accrediting providers, via a set of accreditation rules.
According to the bill’s explanatory memorandum, accreditation will be available via “three kinds of digital ID services: attribute service provider, identity exchange provider and identity service provider”, which will be those entities facilitating the use of the “federated digital ID system”.
Attribute service providers, the bill explains, are entities that provide or propose to provide, “a service that verifies and manages an attribute of an individual”.
Section 10 of the Digital ID Bill lists attributes linked via a digital ID, as including current and former names and addresses, date of birth, phone number, email address, digital ID and optional biometric information.
However, section 11 provides those attributes that are linked with the ID but are not to be provided to organisations, which include racial markers, health and criminal records and government identifiers, such as a tax file number, Medicare number and driver licence number.
Accredited identity exchange providers are those bodies that will provide for the flow of information between entities within the AGDIS, and identity service providers generate and maintain digital IDs.
Indeed, the other concerning issue is law enforcement access. In terms of this, such agencies wanting to access biometric data relating to an individual will require a warrant, but when it comes to personal information, there’s a long list of permissible reasons to access it without a warrant.
The Capability
“myGovID uses the Face Verification Service to conduct biometric verification, but that service sits outside of the Digital ID system,” Finance told SCL last year, adding that the FVS is a separate system that also provides “additional privacy safeguards”.
The Identity Verification Services Act 2023 passed last year. And it established the FVS and the Document Verification Service, which can establish facial verification, as it links up all federal, state and territory databases via a hub, which includes passport, immigration and licence photos.
So, at least for the early stages of the system, the use of biometric information is established when a person takes an image of themselves using their phone, and though this image is not stored, it can be verified using the FVS system, via its matching to an individual’s registered and stored ID photos.
The consequential provision’s explanatory memorandum outlines that a person can create a digital ID with the added strength of biometric information, which will ensure that it is then linked to their identity sources in these other databases.
The Commissioner of Taxation, however, “will be authorised to collect, use and disclose biometric information for the purposes of verifying the ID of a person, using facial images to create an identity proofing (IP) level 3 (known as a ‘Strong’) digital ID”.
So, the digital ID system will provide users with access to both government and commercial services, via a system that can verify basic details, with the added extra of consensual biometric information, which can be stored by certain entities and can be linked to verify a person to their preexisting IDs.
But the year after the roll out of the unlegislated digital ID system, the Turnbull government established The Capability, which is something of a manual FVS that relies solely on federal photo ID databases, and allows for the matching up of these stored images with stills from CCTV footage.
Brandis, and then his successor in Orwellian outlooks for an authoritarian Australian future, current Liberal leader Peter Dutton, began plotting for a real time interoperability hub that would allow for the matching of CCTV images with all these ID databases nationwide in real time.
The interoperability hub is now operating via the FVS. And once established, the AGDIS will have the ability to match people, via their phones if willing, with their facial images stored in these government databases.
And the only thing left for PM Peter Dutton to tweak when he’s elected to office next term, will be to provide an ability, so these networkds can be utilised within a nationwide surveillance system that would allow CCTV stills to identify people’s positions remotely.