Not mad, disappointed: DTA hits back after ASPI attacks federal digital identity plays

By Stephen Easton

Friday October 19, 2018

The Digital Transformation Agency has defended its work on digital identity from claims it is a political landmine waiting to go off due to latent fear of government surveillance, which came from an unlikely source: the Australian Strategic Policy Institute.

“Controls are needed to prevent a Western version of China’s ‘social credit’ scheme emerging,” writes the head of ASPI’s International Cyber Policy Centre, Fergus Hanson. In the article, he also raises the spectre of the Australia Card backlash in the 1980s which is often cited as proof that Australians are strongly averse to anything that even sounds a bit like the government keeping tabs on them. The DTA says he is way off the mark.

“The report was inaccurate and contained many factual errors,” according to the DTA statement. “It was not an informed or objective appraisal of the program.

“The Digital Transformation Agency (DTA) generously engaged with the author multiple times, providing feedback on factual errors which were not addressed in the final report. This is disappointing given the profile of the Australian Strategic Policy Institute.”

The ASPI researcher appears to have hit a nerve at the DTA by making the exact kind of criticism it has tried to avoid all along in its digital identification work. Two years ago, the agency first presented its “double-blind” approach to the technical design of the crucial identity exchange at an IT conference, but the project was soon put on hiatus.

The double-blind identity exchange platform will be run by the Department of Human Services and could be used by multiple separate providers of digital identity credentials, one of whom will be the Australian Taxation Office.

Double-blind means an organisation, a bank for example, can verify that a person is who they claim to be without receiving any other personal information that identifies them. In theory, federal agencies would not receive information about the bank, or why it wants to verify the person’s identity, either.

Nor will the government store a big database of sensitive information, the DTA argues, and it refutes the suggestion that companies could set up their own additional systems that harvest data from usage of new digital identity credentials.

“The association of China’s social credit system and the Australia Card with Australia’s new digital identity program has no basis. Nor do claims that private sector companies will be able to harvest user data. These demonstrate a clear misunderstanding of how the digital identity system is intended to work.”

The DTA rebuts a lot of the claims in the ASPI article, which aims to build an argument that there is a political risk to the digital identity projects from a lack of public understanding.

It is fair to say that communications and public consultations are a key challenge for the DTA in this arena. Most people know little about what the government is doing with digital identity and would struggle to understand the technical jargon, as well as the meaning of brand names like GovPass and myGovID — a new term the minister just started using all of a sudden one day.

At one point the ASPI article suggests many citizens might conflate facial verification for digital identity systems with a new system that allows law enforcement agencies to identify people from facial photographs more easily. However, the DTA’s rebuttal suggests the report probably created more confusion, if anything.

“The opinion piece also describes the myGov website as a credential. This is not correct. myGov is the government’s online portal, used by over 11 million Australians to access up to 11 government services, such as MyTax, Medicare and Centrelink.

“This again demonstrates a lack of understanding about the systems currently in place, in addition to emerging ones.”

The frustrated agency has also tried to clarify its two separate, but related projects: first, a single system of standards and the double-blind exchange infrastructure that can be used by multiple providers of digital identity credentials; and secondly, a new entity within the Tax Office to act as one of those providers, offering a credential now known as myGovID.

The agency also takes issue with the idea that the Digital iD app developed by Australia Post, a government-owned company which will seek to become another accredited digital identity provider alongside the ATO, demonstrates that almost $180 million in federal funds have gone towards two separate “digital identity schemes” in competition with each other. “This is incorrect,” the DTA asserts, adding:

“The digital identity federated model allows for multiple identity providers but only one system. This means people using the system will be able to choose to set up their digital identity with their provider of choice.

“The system is also opt-in, so people will have a choice whether or not to use it.

“The DTA takes its obligation to protect the privacy of Australian citizens very seriously. We have consulted with thousands of people in developing the system, including privacy advocates and community groups. The DTA will be releasing the outcomes of a privacy assessment on our website soon.

“The digital identity program is aligned with the Australian Privacy Principles and the Privacy Code, the Information Security Registered Assessors Program, and the Australian Government Protective Security Policy Framework and Information Security Manual. It requires participants to undertake independent security testing and assessments.

“Delivering a safe and secure system that will operate with integrity and make the lives of users simpler and easier has been at the heart of the design of the system from the very beginning.

“Our objective is to build a digital identity program that will support Australia’s future economic and social prosperity.”

About the author
Inline Feedbacks
View all comments

The essential resource for effective
public sector professionals