Australia’s new digital ID scheme falls short of global privacy standards. Here’s how it can be fixed

By Ashish Nanda, Deakin University; Jongkil Jay Jeong, Deakin University, and Robin Doss, Deakin University

Australia’s new digital ID system promises to transform the way we live. All of our key documents, such as driver’s licences and Medicare cards, will be in a single digital wallet, making it easier for us to access a range of services.

The federal government is still developing the system, with a pilot expected to run next year. Known as the “Trust Exchange”, it is part of the Trusted Digital Identity Framework, which is designed to securely verify people’s identities using digital tokens.

Earlier this year, in a speech to the National Press Club in Canberra, Federal Minister for Government Services Bill Shorten, called the new digital ID system “world leading”. However, it has several privacy issues, especially when compared to international standards like those in the European Union.

So how can it be fixed? Trust Exchange – or TEx – is designed to simplify how we prove who we are online. It will work alongside the myID (formerly myGovID) platform, where Australians can store and manage their digital ID documents.

The platform is intended to be both secure and convenient. Users would be able to access services ranging from banking to applying for government services without juggling paperwork.

Think of the system as a way to prove your identity and share personal information such as your age, visa status or licence number — without handing over any physical documents or revealing too much personal information.

For example, instead of showing your full driver’s licence to enter a licensed premises, you can use a digital token that confirms, “Yes, this person is over 18”.

But what will happen to all that sensitive data behind the scenes?

Falling short of global standards

The World Wide Web Consortium sets global standards around digital identity management. These standards ensure people only share the minimum required information and retain control over their digital identities without relying on centralised bodies.

The European Union’s digital identity system regulation builds on these standards. It creates a secure, privacy-centric digital identity framework across its member states. It is decentralised, giving users full control over their credentials.

In its proposed form, however, Australia’s digital ID system falls short of these global standards in several key ways.

First, it is a centralised system. Everything will be monitored, managed and stored by a single government agency. This will make it more vulnerable to breaches and diminishes users’ control over their digital identities.

Second, the system does not align with the World Wide Web Consortium’s verifiable credentials standards. These standards are meant to give users full control to selectively disclose personal attributes, such as proof of age, revealing only the minimum personal information needed to access a service.

As a result, the system increases the likelihood of over-disclosure of personal information.

Third, global standards emphasise preventing what’s known as “linkability”. This means users’ interactions with different services remain distinct, and their data isn’t aggregated across multiple platforms.

But the token-based system behind Australia’s digital ID system creates the risk that different service providers could track users across services and potentially profile their behaviours. By comparison, the EU’s system has explicit safeguards to prevent this kind of tracking – unless explicitly authorised by the user.

Finally, Australia’s framework lacks the stringent rules found in the EU which require explicit consent for collecting and processing biometric data, including facial recognition and fingerprint data.

Filling the gaps

It is crucial the federal government addresses these issues to ensure its digital ID system is successful. Our award-winning research offers a path forward.

The digital ID system should simplify the verification process by automating the selection of an optimal, varied set of credentials for each verification.

This will reduce the risk of user profiling, by preventing a single credential from being overly associated with a particular service. It will also reduce the risk of a person being “singled out” if they are using an obscure credential, such as an overseas drivers licence.

Importantly, it will make the system easier to use.

The system should also be decentralised, similar to the EU’s, giving users control over their digital identities. This reduces the risk of centralised data breaches. It also ensures users are not reliant on a single government agency to manage their credentials.

Australia’s digital ID system is a step in the right direction, offering greater convenience and security for everyday transactions. However, the government must address the gaps in its current framework to ensure this system also balances Australians’ privacy and security.

The Conversation

Ashish Nanda is Research Fellow, Deakin Cyber Research and Innovation Centre, Deakin University; Jongkil Jay Jeong, Senior Research Fellow, Deakin Cyber Research & Innovation Centre, Deakin University, and Robin Doss, Director, Deakin Cyber Research & Innovation Centre, Deakin UniversityThis article is republished from The Conversation under a Creative Commons license. Read the original article.