Observing how citizens use digital identity services — rather than merely asking them — is vital, says the Digital Transformation Office’s head of identity, Rachel Dixon.
What people say and do when it comes to privacy and security are often two very different things, Dixon explained at the Connected Government conference in Melbourne last week: while many balk at the idea of providing a fingerprint for verification when asked, plenty already use such technology, whether on an iPhone or to sign in at work.
The situation is not helped by the fact a lot of what citizens believe about privacy comes from television shows like CSI.
But where it presents challenges is in our desire for convenience. People sign up to a digital identity when they need to get something done and don’t want to spend lots of time verifying their own identity. This divide between “current me” and “future me” comes up again and again, Dixon reveals.
“Future me cares a lot about privacy and security — privacy is really important to me,” she said. “Current me wants to get stuff done and I’ll compromise things this afternoon and think, ‘I’ll fix things next month’.”
The challenge then for those designing a verification system is how to require “the absolute bare minimum data set” to make it safe, but also convenient to use. If you can base it on data that’s difficult to reproduce or steal, even better.“The history of national identity schemes is full of those sorts of discussions.”
“If you’re a bloke you’ve got a bunch of documents lying around in your wallet. You’ve possibly got a birth certificate lying around somewhere. If you’re a young man in a share house, the chance that somebody else could get access to that? Actually pretty high,” Dixon said.
Although many would be uncomfortable at the idea of giving a government entity their fingerprint, it’s more difficult to use for fraud. “Give somebody something that’s harder to steal, they can’t tell you they have the thing, but they have a thing that they can assert,” she argued. “That’s more secure. More valuable.”
And don’t give them a number. Apart from being easy to steal, someone will probably compare your government to Hitler.
“Somebody will invoke Godwin’s law at some point on a forum,” she said. “Your minister is going to be embarrassed at a certain point by the way that discussion goes. It’s just going to go badly. The history of national identity schemes is full of those sorts of discussions. We don’t want to go there.”
A federated system
The DTO will release an alpha version of a federated verification product in August, as well as a framework for how participating agencies will verify customers to different levels of assurance.
Dixon’s comments suggested customers already using similar identification systems — such as from Service NSW and the Queensland government — hopefully won’t have to verify themselves anew, but will be slotted into the federated system.
“There are a substantial number of consumers in Australia who already have digital identities in one way, shape or form,” she said. “Is it fair to ask those people to go through verification all over again? The answer is: probably not.”
A framework for verification means agencies will tell each other they have seen identity documents and that they’re real, but won’t be sharing the documents themselves. This should avoid creating a “honeypot” situation where a security breach at the centre could give hackers access to masses of personal data — an idea that gives Dixon “the creeps”.“… everybody else in that federation has to agree that that thing is the same thing …”
If the Queensland government, for example, has assigned someone an assurance level of three, Dixon explains, “then everybody else in that federation has to agree that that thing is the same thing, so that that person can use their Queensland credentials to sign into other things in the federation, like a Commonwealth site”.
Because the federated system would avoid the mass information sharing of a centralised system, the DTO thinks it can be introduced without changing the law — probably a good thing, given the 768 regulations on information sharing between government departments and seven privacy acts.
But for all the sophisticated technology and system design that goes into such identity systems, things don’t always go according to plan. Testing is vital.
Dixon gave a user research example. While one might assume younger people will feel comfortable using digital services, one 21-year-old man got to the eighth screen of personal questions verifying his identity and “wigged out”. His response? “Why is the government asking me all this information?”
He freaked out about the detail of the verification questions, even though the first screen explained the system already knew his personal information and was only asking questions to make sure it was really him.
The problem? He didn’t read it.