ECU information security researcher Leah Shanley says there is “legitimate concern” a national digital ID plan could see people missing out on government services if they don’t sign up, or that it could even become mandatory.
The federal government’s considering legislation that would expand the “myGovID” program some people already use to access the tax office and Centrelink, first uploading identity documents to create an account for quicker future access.
This bill would pave the way for widespread adoption, allowing private companies to use the system to identify customers.
Having a digital ID would be voluntary at launch, but not signing up could mean missing out as more businesses start using and demanding it, and Ms Shanley says there’s a risk of “function creep” if an opt-in system one day becomes mandatory.
“Citizens may well be forced to opt-in or miss out on the service. This is a legitimate concern,” she says, and there’s precedent for other government rules undergoing function creep.
“As we can see with ‘two weeks to flatten the curve’, we are now discriminating against (rightfully or wrongfully) unvaccinated Australians, contact tracing has no end, and the push for vaccine passports is strong, despite Scott Morrison stating publicly we do not have mandatory vaccine policy in Australia… one has to question where this will end up.”
Ms Shanley said: “My research suggests, as does other empirical research, that citizens do not want to be monitored” and she is currently studying why people sometimes accept surveillance measures.
So far the factors seem to be when citizens trust a government, when there’s little information about who is processing data and where it is being stored, and when people are fearful – such as accepting contact tracing amid the threat of Covid.
Ms Shanley says citizen trust in the government has been steadily declining since 2007 and has suffered some recent hits, noting the WA government asserted SafeWA data would not be accessed by anyone but the health department.
“The WA Police requested access to that data just nine days after the Covid app was rolled out. The WA state government moved quickly to close the loophole with legislation; nonetheless it happened.”
People not understanding the depth of corporate access and handling of their data may also mean they don’t resist.
“My research suggests that citizens trust government entities more than private entities, but do not understand the network of relationships formed in the information environment,” Ms Shanley says, noting “data custodians are almost always third party providers”.
Amazon Web Services hold Covid app data, and private companies can be certified to hold data under the new digital ID bill.
“The question then becomes not ‘do I trust the government’, but ‘do I trust the government and Amazon Web Services’. The missing link here is knowledge.”
Ms Shanley says whether people accept digital ID comes down to trusting the government will not make it mandatory and will ensure the data is adequately protected in storage, transit and processing.
“One must think necessarily about the government of the day, but also the government of the future,” she says.
Govt systems hit by data breaches, human error, and system failures
THE digital ID system may be especially susceptible to attack by “easily-implemented code”.
During the 2020 round of consultation on the digital ID, security researcher Ben Frengley and renowned cryptographer Vanessa Teague advised the government of their 18-month investigation into the current version used by the Australian Taxation Office.
They identified “a number of serious security and privacy failings”, describing the identity exchange as “an extremely brittle architecture that would allow for large-scale identity fraud if that one component came under the control of a malicious party”.
Dr Teague had previously discovered historical Medicare data that was supposedly stripped of identifying details but could still be matched to patients’ names, had jointly discovered that New Zealand census data identifying participants was visible to a private company overseas, and was part of a team that found flaws in the “iVote” internet voting system used in the New South Wales.
Since their submission the digital ID bill’s been updated to require participating companies to “seek help when affected by a cyber security fraud or a cyber security incident” and there are new restrictions on accessing and storing data.
It’s unlikely to be water tight: The bill already plans for failures by including a “redress scheme” so “customers have protections in the event of a fraud or cyber security incident”.
In the first six months of 2021 the Australian Information Commissioner was notified of 34 data breaches of federal government agencies.
Most data breaches occurred due to malicious or criminal attack, about 30 per cent are down to human error, and 5 per cent are system failures.