Australia needs to rapidly establish a robust and open trust and identity framework and supporting privacy policies if all tiers of government and business are to work together to provide modern, intelligent and easy-to-use digital services.
This framework is foundational to the many ambitious digital transformation programs now underway at all levels of government. The broad aim is to build a competitive and innovative framework for trusted products and services, that lowers transaction costs and which encourages governments to work with other major players, such as the banks and telecommunication companies.
Building citizen trust in these services is a critical prerequisite so any new regime has to be supported by strong privacy policies, encryption technologies and real sanctions for any breaches.
Central to this is designing a verification and authentication system which is easy to use and arguably lets citizens control who has access to their identity and personal data and has well understood privacy and security controls baked in.
Federated, syndicated or single ID system?
David Murray’s Financial System Inquiry last year revealed Australia’s infrastructure is highly fragmented, consisting of a largely unco-ordinated network of trust credentials.
The Attorney-General’s Department has found that around 20 different government agencies manage more than 50 million identities, with a similar number issued in the private sector. The final FSI report found:
“Australia has no clear strategic vision for digital trust management and, consequently, little co-ordination and limited ability to attain potential network benefits that would lower costs and reduce duplicative processes.”
Responding to the report, the Coalition government late last year accepted the FSI recommendation for a federated model of multiple trust regimes and has asked the Digital Transformation Office to come up with a framework.
The FSI broadly supported the Department of Human Services myGov strategy of leveraging current public and private infrastructure. While the FSI said a single ID system would have significant “network benefits”, it argued this would involve significant extra cost to government and arguably would lock down trust management as an ecosystem, stifling innovation.
The counter argument comes from the Nordic countries. They are among the leading digital economies in the world; some claim this is because they use a single ID system which has enabled them to offer connected services far more efficiently. This single ID is supported by uber military-like encryption as well as controls that enable citizens to determine who has access to what data. There are also typically strong compliance laws to enforce privacy of sensitive private data, such as health or financial data.
In Australia there has been privacy concerns that this would be the digital version of the unpopular Australia Card. This is despite the rapidly changing perceptions around privacy caused by social media, large-scale (unregulated) tracking of IP, Mac and email addresses and near ubiquitous connectivity.
A middle ground is a syndicated system which enables providers of services to adopt the verification system of another provider (eg: a myGov ID).
Whatever the architecture, it is widely accepted by digital system thinkers that without an agreed regime it is near impossible to offer citizens easy-to-use, intelligent services.
As Prime Minister Malcolm Turnbull told the Business Council of Australia late last year, citizens should only have to tell governments once where they live, for example. He deliberately said this principle should apply to all levels of government:
“‘Tell me once’ should be a principle that applies right across government. We should be able to recognise that the fascinating constitutional differences between local government, state government and federal government — obscure and unclear and ambiguous as they often are — are of absolutely no interest to citizens and most businesses. They want results.”
The economic benefits of being able to access multiple government services from a single set of digital credentials are large. The Department of Human Services estimated the myGov portal will generate around $550 million in savings for users over the next 10 years. There have also been additional economy-wide estimates of the value of digital trust being up to (a whopping) 8% of GDP, with government and healthcare generating nearly half that gain.
Digital trust management is critical as government seeks to create seamless end-to-end digital transactions across multiple agencies and tiers of government. The DTO, for example, is currently building a single application for registering a business, which talks to federal, state and local government systems and a myriad of licensing agencies typically associated with business registration. This requires agreement around trust so each agency can be part of this service.
And as governments embrace intelligent systems which can predict usage patterns and suggest best services for citizens, it is vital there is a consistent and robust digital trust regime to underpin these services. Working well, these services will operate in the background, removing the need for citizens of much of the drudgery of dealing with multiple government agencies.“Trust management becomes even more critical as governments interact with other large players …”
The classic example is a baby: where once a baby is registered, it is registered for all purposes — healthcare, education, social security, tax (for parental rebates), international travel, etc — with all the relevant agency systems notified and triggered to come into play at the relevant time.
Trust management becomes even more critical as governments interact with other large players such as banks, telecommunication companies and airlines. Banks, for instance, already have robust identity systems which for many government type transactions (eg: a public transport travel card) would be more than adequate.
Ditto if governments want to take advantage of probably the largest digital trust hardware system in the country: the identities associated with the 30 million-plus mobile devices. Each is currently ID checked on activation, meaning these phones are ready to be an authentication device for any number of government services. Many commercial and some government services already use mobile numbers as a part of a two-factor verification of identity.
Modern banking EFTPOS devices are more than capable of handling a multitude of payments and licensing applications that government frontline offices currently handle, or which citizens have to literally mail away for. This opens up the possibility of the verification, authentication and even the the actual transaction being carried out on third-party systems (such as banks or other payment platforms), something that would mean governments do not have to build any of this infrastructure.
Building a trust architecture
In essence, what has to be constructed is a system which citizens and consumers will trust to share their identity with and which the participants also trust to pass ID and other data to each other.
In this world, what is needed is a type of middle system that talks with, and brokers, the various government and non-government trust systems. An early example of this type of interoperability is the use of, say, Facebook or Google IDs to access other web services. There are also, in the United States and United Kingdom, commercial players that have stepped into the space to act as verification agents and then to also offer authentication services and technologies to link the various players that need to verify people so they can access services and products.
In Australia there has been a rapid take-up (around 10 million users) of the myGov platform for accessing tax, health and welfare payments. Similarly, the state governments — through their historical management of drivers’ licences — are also building (in the case of New South Wales) or contemplating digital ID systems to support its large-scale digitisation programs.“… the backbone of any new ID regime has to be government led. And that may be part of the problem.”
This means we already have a de facto government-driven ID system, which enables access to a large variety of (government ) services. With the other major players (banks, telcos, airlines, etc) already offering their own ID system, and Australia Post offering ID verification on a fee-for-service model, it will be challenging for any third-party player to establish scale. The DTO has commissioned research to validate the size of the market for identity, and determine whether there is a role for the DTO to play in developing this market.
This suggests the backbone of any new ID regime has to be government led. And that may be part of the problem. Already the bigger players — the Department of Human Services, the Australian Taxation Office, Medicare, Australia Post, the NSW government — are pushing their own strategies and solutions. Without a strong, centrally driven or at least highly co-ordinated approach, there is a high risk of agency turf wars stymieing and stalling the adoption of a national system everyone buys into.
The risk is what happened in New Zealand, where an early decision was made to build a user-friendly verification system (albeit one where you still have to physically verify your identity at a Post Office). Called Real Me, it has struggled because of lack of agency and private sector buy-in. The door was made nice and shiny, but there was nothing in the house.
Enter the Digital Transformation Office
Despite good forensic policy work by the Department of Finance, there has not until recently been the political determination to take on the leadership role needed to sort out the complex framework, architecture, technology, privacy, security and liability issues.
The Turnbull government has given this job to the new Digital Transformation Office. The work is being led by Rachel Dixon, an external recruit from the film and online video world, most recently COO of Viocorp
DTO CEO Paul Shetler had taken an early decision that the user experience of the myGov platform was not going to good enough if there is to be widespread digitalisation and joining up of services — as did the NSW government and its major service portal, Service NSW. (As communications minister, Turnbull pushed strongly for the states to embrace myGov as their entry portal.)
Dixon is now going through the discovery phase of developing an alpha product to verify the identity of consumers to a level that’s sufficient for them to access government services. Dixon’s team is also aiming to create a credential or login you get when you verify your identity, allowing access to secure government services. The aim is to have an alpha product — a test prototype — by August.
What makes this work different from previous attempts is the DTO’s determination to solve this as a user or citizen problem, rather than as an internal government problem. The central hypothesis is citizens are driven by Turnbull’s ambition to just verify themselves once and not to have to prove time and again who they are.
Dixon and her team are developing typical use cases to understand the journeys and test in research what citizens really want. This work will drive both the product and framework design. Dixon observes that a good deal of the thinking in the identity space has been based around jumping to technological solutions, before the user needs have been properly established.“… having an understanding of what the technology can support and the emerging architectures does allow a more strategic approach.”
That said, having an understanding of what the technology can support and the emerging architectures does allow a more strategic approach. Dixon’s team have been looking at the Trust Vectors model being developed by the Internet Engineering Taskforce. This model can finely tune the levels of trust needed for the different parts of the identification and authentication process.
Also coming fast are distributed technologies such as block chain, which enable a distributed approach to authentication, removing the need for a large centralised “database” to be established as a single source of truth. The big banks — most prominently the Commonwealth — have been playing with these technologies in the context of bitcoin and can see widespread application in the authentication space.
Developing this regime is a major piece of work and is undoubtedly the central challenge of the new digital transformation minister, Angus Taylor. Taylor is a former consultant with boutique firm Port Jackson partners (alumni include Rod Sims and Fred Hilmer) and a Sydney University medalist in economics.
Taylor grew up on a farm at Nimmitabel on the high plains of the Monaro. His maiden speech talks of rounding up cattle on horseback. He now lives on a farm outside of Goulburn and has written a long unpublished “thesis” on digital government. He brings a much-needed intellectual clout, necessary to QA the ID framework and to weigh up the many judgments needed.
How good he is at corralling the wild horses of government is to be seen.