The federal government’s long, winding and usually controversial efforts to create a national digital identity framework have inched another step closer to reality with the Digital Transformation Agency moving to centralise control over how government credentials are created and quietly relaunching the project as Govpass.
In a significant progress update, the DTA has revealed that the new identity scheme is in what it calls ‘private beta’ stage, with a public beta due for availability in early 2017.
As previously signalled, the head and shoulders of the digital identity project is a federated model hinging on a newly minted account credential backed by an underlying exchange that can cross-check and authenticate that users are who they say they are.
More on the technical aspects in a moment, but the biggest revelation is the holistic extent to which the DTA now envisages its oversight of transactional verification to reach.
Central credential control
A privacy impact assessment (compiled independently by consultancy Galexia) released in conjunction with the update reveals that the ultimate vision under the previously announced Trusted Digital Identity Framework will be for the DTA to take control of how Commonwealth agencies create digital user credentials, including a prohibition on agencies going it alone.
It calls out management of identity creators as identity providers (or IdPs) as a key area of action.
“At the Commonwealth level, the DTA has decided to develop a single IdP. Existing Commonwealth digital identities will be transitioned to the Commonwealth IdP, and no further IdPs will be allowed to develop at the Commonwealth level.
“In contrast to the Identity Exchange, IdPs do collect and store significant amounts of personal data,” the PIA says.
But it also cautions “the proposals relating to IdPs are the subject of significant privacy concerns from stakeholders.”
Privacy pressure ever present
As successive governments have learned, dealing with the concerns of privacy advocates — including statutory office holders state and federal — is far from a trivial issue.
On the thorny issue of “the selection of a single Commonwealth IdP” the PIA recommends “the DTA should recognise stakeholder concerns” and take steps “to ensure that the proposal has an appropriate level of stakeholder and community understanding and support before implementing the proposal.”
The former Digital Transformation Office found its efforts to develop a trusted identity scheme quickly offside with peak privacy groups who complained they were shut out of consultations rather than included in them from the start.
In August 2016 the Australia Privacy Foundation publicly broadsided the DTO for both leaving it out of consultations and keeping quiet over whether the new Trusted Digital Identity Framework would be subject to a privacy impact assessment — which it now has been.
Slower, better, stronger
While the initial impetus under the DTO had been to get a digital identity minimum viable product and alpha up and running quickly, the latest missive from the DTA conspicuously argues more time and less haste is the way to go.
It essentially concedes the project is too big to fail and that a rushed effort could create a bigger mess than the one that now exists in terms of disparate electronic credentials.
The DTA wants to make sure it gets this project right.
While building new technology can be done relatively quickly, there is considerable work involved to successfully deliver a sound and reliable new process and technologies for public use.
“The DTA is drawing on its delivery expertise and understanding of the complexities of this project to ensure all the appropriate steps are taken before rolling it out for public users,” the agency says in its update.
More to come…