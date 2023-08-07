Attorney-general Mark Dreyfus has officially wrested back ownership of key enabling legislation needed to make forthcoming new digital identity laws compatible with a stalled national biometric facial matching system that was hit for six by the powerful Parliamentary Joint Committee on Intelligence and Security (PJCIS).

Machinery of government changes under Administrative Arrangement Orders made at the end of last week transfers responsibility for “identity and biometrics policy, strategy and delivery and identity matching services” so they “better align with the Attorney-General’s privacy and cybercrime priorities”, an overt policy shift towards civilian rather than uniformed control of the powerful technology.

The shift to the Attorney-General’s, which is the department that also houses the key privacy watchdog and regulator Office of the Australian Information Commissioner, is likely to temper some of the more ambitious applications that automated biometrics can be used for in areas like mass surveillance and pattern recognition to help predict potential crimes, violence and incidents.

The Identity-Matching Services Bill 2019, which would have authorised the creation of a massive interoperable biometric facial recognition repository that spanned across agencies ranging from state transport licensing to passports to police records, was unceremoniously rejected and thrown back to Home Affairs as seriously undercooked and lacking in detail in October of that year.

There were also serious concerns that a biometric-enabled digital identity system could be too easily coopted and railroaded by law enforcement interests to primarily serve an automated reconnaissance technology rather than making identities and transactions more secure.

The primary tension is that if left insufficiently checked or poorly controlled by black-letter legislation, a new centralised biometric facial database could cause as many problems as it solved for policymakers.

There are real grounds for serious concerns. Last month, Crikey revealed the seemingly unregulated use of Auror facial recognition technology not only by major Australian retailers but also by the Australian Federal Police in the ACT, who had been tapping into the for-profit crime intelligence and prevention system as a form of shadow IT.

A major advantage of re-embedding the biometric identity authentication function inside AGD is that the commonwealth’s top legislative drafters and law officers will get a crack at pushing out laws that are a lot tighter and far better defined than more open-ended ones the state security estate may desire.

Enabling legislation for Australia’s digital identity ecosystem was also put on ice after the proposed biometrics laws were rejected, and it now seems likely the two will be bowled up at the same time that would give drafters, reviewers and legislators the ability to make joined-up changes as required.

The need to create a cohesive governance and regulatory framework for state use and interoperability of biometric credentials and exchanges made it plain to the previous government in the Wilkins Review delivered in March 2019 — which was dutifully buried by the Morrison government and only recently extracted by eminent technology journalist Justin Hendry under Freedom of Information.

Penned by former AGD secretary Roger Wilkins, the report dubbed the “Review of National Arrangements for the Protection and Management of Identity Information” did not mince words and included chapter headings that made it very easy to determine its conclusions.

These headings included ‘The purpose of key “identity” documents is not identity’; ‘There is no logical framework’; ‘There are no standards’; ‘The foundation is weak’; and the superlative ‘The “100 Point check” does not make sense …’.

The report was sufficiently frank and fearless enough to spook the Morrison government out of attempting to untangle the identity system hairball and bury the document, with COVID subsequently dominating policy for the next two years.

One of the policy issues lawmakers will have to grapple with is the dominant role of Apple. While the company has mainstreamed facial recognition as a security feature on its devices, the hash of the pattern used to recognise faces resides on Apple devices’ secure element; Apple has long resisted handing over the master keys even in the US.

The Albanese government now also has to contend with an opposition that is ready to take it to task over progress on digital identity. Shadow government services minister Paul Fletcher wasted no time on Monday in saying it was “entirely unclear” if the machinery of government changes would align with the “Department of Finance which is, apparently, leading work on a legislated digital ID.”

“Identity policy is being passed around like a hot potato by Labor ministers,” Fletcher said.

“This latest decision follows the unexplained move by the Albanese government last month to strip the Digital Transformation Agency of its responsibility for digital ID. The lack of clear and consistent leadership is delaying progress on legislating digital ID.”

“The confusion around digital ID is crippling the ability of the private sector to plan for a whole-of-economy system,” Fletcher said. “So far, Labor have tinkered around the edges of digital ID without doing the hard yards.”

