Everything is in place for Australians to start establishing myGovID digital identity credentials, and the first of eight pilot programs is now underway to test and demonstrate the new product.
Participants in the first trial will set up their own working prototype myGovIDs, through an app initially built for Apple iOS devices, and use them to apply for Tax File Numbers online.
The aim is to introduce the new digital identity product gradually and demonstrate how it works as well as why citizens would want to voluntarily register for myGovID. In the case of getting a TFN, as about 750,000 people do each year, the benefit is it takes a few minutes and a short online form rather than several weeks of waiting, presenting physical identity documents, and a trip to the post office.“There’s no reason why this can’t be the building block for a whole-of-economy solution to digital identity.”
The Digital Transformation Agency, which runs the overall project (called GovPass) and the Australian Taxation Office, which issues the myGovID credential through the new smartphone app, demonstrated all the working parts to a group of journalists in Sydney yesterday.
The Department of Human Services sent along its chief technology officer and acting chief information officer Charles McHardie to explain its role, running the core element of the proof-of-identity process in the broader GovPass framework called a double-blind identity exchange.
The Minister for Human Services and Digital Transformation, Michael Keenan and Assistant Treasurer Stuart Robert made some comments and fielded a few questions. Public servants from the ATO, DHS and DTA were on hand to explain their respective roles and the technical nuts and bolts.
“We take the delivery of this program very seriously,” DTA chief executive Randall Brugeaud told a group of reporters from specialty IT and business-focused publications including The Mandarin, and mainstream outlets including the ABC and News Corp.
“We are carefully and deliberately delivering digital identity in stages, testing with users, iterating and improving as we go. We’re ensuring that it has strong integrity controls, security controls, and privacy controls.”
Finally announcing the first myGovID pilot was a “momentous day” for Minister Keenan, who commented that it was hard to manage a lot of different username and password combinations.
The minister said having to set up separate user accounts over and over again was an “enormous disincentive” that discouraged people using government online services, because they forget passwords and it’s complicated. Password management apps deal with this issue quite well, of course, but there is no doubt that constantly being asked to create a new user profile gets tiresome.
The idea is that other federal, state and territory agencies, as well as companies and other organisations that need people to prove their identity can also start accepting myGovID.
“There’s no reason why this can’t be the building block for a whole-of-economy solution to digital identity,” Keenan said, adding he was keen to see the project “accelerated” when he took over the portfolio. He also acknowledged the understandable concerns about privacy and security and said these had been “at the core” of the whole project all along.
One aim of the briefing was to reinforce the point that by technical design, the identity exchange does not enable the government to learn anything new about citizens or make it easier to track their comings and goings.
Keenan explained that myGovID won’t create a new database of identity information or aid police and security agencies to investigate people more easily.
The government is not issuing myGovID as a mandatory national citizen identifier. It expects to see other credentials besides myGovID, offered by other providers in the private or public sector, but it has taken steps to encourage these to employ similarly high standards.
Other digital identity providers will be able to use the privacy-protecting identity exchange system managed by DHS, and the DTA has a set of high standards that should help people decide if other digital identity credentials that emerge are trustworthy. This would be indicated by compliance with the Trusted Digital Identity Framework, a series of rules and detailed technical specifications, developed over the past few years through an open and consultative drafting process.
The myGovID digital identity app will be available to anyone from next year – not just on Apple iOS devices – and the quicker TFN application process will be followed by other pilots based around seven other single transactions.
The DTA has already worked with feedback from about 1800 people so far and will continue updating and improving the system based on the experience of participants in the eight trials over the next nine months.
“We’re not forcing Australians to have a myGovID, but I believe that the convenience … is going to mean that most Australians will want one,” Keenan said. “It’s not going to close down our face-to-face channels of dealing with people, it’s not going to close down our call centres, but it will certainly alleviate an enormous amount of pressure with people accessing services digitally, using this new myGovID.”
The app and the double-blind identity exchange
The ATO’s myGovID app can optionally be protected by a password or the device’s in-built authentication methods like finger scanners or Apple’s FaceID. During the registration process, the 100-point identity check uses the existing Document Verification Service to confirm the validity of identity documents and the newer Face Verification Service to also confirm the person’s identity.
As the Department of Home Affairs website explains, this is one of two new capabilities, the other being a system for police and security agencies to identify an unknown person from a picture:
“The Face Verification Service (FVS) is a one-to-one, image-based verification service that can match a person’s photo against an image on one of their government records (such as a passport photo) to help verify their identity. Often these transactions will occur with the individual’s consent.
“The Face Identification Service (FIS) is a one-to-many, image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. Access to the FIS will be limited to police and security agencies, or specialist fraud prevention areas within agencies that issue passports, and immigration and citizenship documents.”
The prototype shown at yesterday’s media briefing only accepted passports, driver’s licences and Medicare card numbers, but the future public version will be able to verify people using other forms of documentation that one might use in a typical 100-point check.
The time and expense to the citizen involved in proving one’s identity to get a passport or driver’s licence can essentially be stored in the myGovID app to be used over and over. The Assistant Treasurer said the pilots would explore how to deal with people who have a range of unique and unusual situations, with various licences from different jurisdictions, changes of name and so forth.
If the user only plugs in their Medicare card, for example, their myGovID is still created but the app tells them it only has “weak identity strength” which means it could only be used for a limited number of purposes that don’t require the full 100 points. The TDIF explains these different levels and is based on the same point values assigned to particular identity documents in the long-standing 100-point check system.“By technical design, the identity exchange does not enable the government to learn anything new about citizens or make it easier to track their comings and goings.”
Like the Document Verification Service, the newer FVS system provides a simple yes-or-no verification, based on facial recognition data created from passport and driver’s licence photos that are already on record.
The myGovID app takes a photo for this purpose and then deletes it. It also has a visual version of the CAPTCHA system to ensure there is a live person in front of the camera, by asking the user to move their face around to join a series of dots overlayed on the screen.
Applying for a TFN with myGovID will provide “significantly greater protection against fraud and identity theft and better privacy protection” than the current paper-based process, Stuart Robert said.
The digital identity exchange is like “the plumbing” behind the “GovPass ecosystem”, said Charles McHardie from DHS. It aims to set a high standard of personal privacy for myGovID and any other credentials that use it in future. Double-blind means DHS doesn’t know what organisation is requesting verification or why, and that organisation simply gets a yes-or-no answer from the exchange confirming the person is who they say they are.
The organisation asking for proof of identity would have to request and manage any other personal details they want to demand from their customers just as they do now; the myGovID system just provides an instant digital 100-point check, although it might increase the reliability and hence the monetary value of the data companies collect about their customers at every chance they can get.
As the exchange infrastructure becomes available to other companies or agencies that provide their own digital identity credentials, as long as they are compliant with the TDIF, myGovID serves as an exemplar of what the federal government believes digital identity credentials should look like.
Together, the TDIF and the identity exchange aim to set a high bar for digital identity credentials that Australian organisations and consumers will accept.
This means there are three options for entities that need to confirm who they are dealing with over the internet: accept myGovID as an online identity check; set up their own similar product, if they believe they can add value in this way; or continue confirming people’s identity however they do currently.
Keenan and Brugeaud both noted Australia Post had already begun offering an alternative identity credential, which is likely to be the second credential inside the GovPass “ecosystem” after myGovID. Banks, however, are already suggesting they might not find the myGovID system suitable for their purposes.
“We would certainly encourage other private sector organisations to be a part of this — I’ve just actually … been at an Australian bank and they were going through some of the issues that they might have with being a part of it, so it might not be an identity solution that is useful for every single purpose,” Keenan said. “We hope that it’s utilised as much as possible, and it will certainly be a global solution to access government services.”
The minister noted that banks already have their own means of identifying their customers and said they were concerned that myGovID alone might not be enough to comply with their various industry-specific regulations, such as “know your customer” rules.