Digital ID
Privacy Reviews

Is Australia Digital ID bill dangerous?

Leave a Comment on Is Australia Digital ID bill dangerous?

In Australia, the Senate is inquiring about a new bill named the Digital ID Bill 2023.

To cut a long story short, this bill is controversial.

On one side, the government asserted that this bill will

… put in place the legislative framework to create an economy-wide Digital ID system in Australia.

Digital ID is a secure, convenient and voluntary way to verify who you are online against existing government-held identity documents without having to hand over any physical information. Digital ID is not a card, it’s not a unique number, nor a new form of ID.

divider

DON'T GET HACKED!

divider

Data breaches, such as Optus and Medibank, impacting millions of Australians shows the need to protect people and their identities. This Bill will help to address this challenge. The Digital IDs enabled by this Bill will avoid the need for Australians to repeatedly share their ID documents, and reduce the need for government or business to retain documents that could then be at risk.

On the other side, the fear is that

Picture this: your most private information, used and abused, not just by the government, but by corporations too. Add to that the potential for your every move to be monitored and controlled. Scary, isn’t it?

The Albanese Labor Government has just lobbed a dystopian grenade in our laps – the Digital ID Bill 2023. And nobody asked for it.

So, who’s right? Should you oppose or support it? Is it good or evil?

I think it is good for cybersecurity. But in terms of privacy, you gain some and lose some. Whether to support or oppose it depends on your values. This article will help you make up your mind.

Current Situation

Today, many organisations and businesses are legally obligated to verify your identity, both online and in person.

For example, to sign up for a mobile phone account, telecommunication companies need to verify who you are. In the process, of doing that, they end up storing your identity documents (e.g. passport, driver’s license) in their system.

Then hackers break into their systems, steal your identity documents and use them to commit identity theft at your expense. Optus, Medibank and Lattitude Financial are prime examples of big businesses that got hacked and created serious risks for literally millions of people.

Let’s assume that organisations and businesses are always going to get hacked, resulting in identity documents being stolen, and putting lots of people at risk of identity theft.

So, what is the technological solution to mitigate this risk going forward?

OAuth

Such a solution already exists. It is called OAuth. Most people already use this solution without realising it.

For example, look at the sign-in page of Canva:

You can sign in with an email and password. But as we know, websites are getting hacked all the time and passwords are stolen by hackers. Besides, people are sick and tired of coming up with yet another password.

So, the alternative is to log into your Canva account through your Apple, Google, Microsoft or Facebook account.

This is OAuth technology.

This is how it works in non-technical language:

  • When you sign in through your Google account, Canva redirects you to Google’s sign-in page.
  • You authenticate yourself to Google (with passwords, MFA, security key, or whatever).
  • Google will then inform or ask you which personal information (e.g. email, phone number) you stored at Google to be passed on to Canva.
  • Google will then inform Canva that you have authenticated yourself to them and pass on your personal information (that you permitted in the previous step) to Canva.
  • Based on this information from Google, Canva signs you in (or creates an account).

So, using OAuth is more secure and convenient, right? Then, what else is the problem?

Privacy problem

This problem is not a cybersecurity issue. Instead, it is a privacy issue.

Google can see that you have an account with Canva. It knows what time you sign in to Canva. It also knows about the device and IP address that you use when you sign in to Canva through them.

You may ask: So what if Google knows that I have an account with Canva?

Imagine you use OAuth to sign in to all of your online accounts through Google. Will you be comfortable with that? Should that happen, Google will have a pretty good picture of your online presence. Also, since they are the gatekeepers of your access to your online accounts, they pretty much control your online life. Should your Google account be banned, you are pretty much screwed. You will lose access to all your online accounts that you sign in through Google.

Digital ID and OAuth

Australia’s Digital ID is similar to OAuth.

Let’s say that you want to buy alcohol online and you need to prove that you are above 18. Currently, the alcohol e-commerce website will need access to your identity documents (e.g. driver’s license) to know for sure that you are above 18. What if that website gets hacked and your identity document is stolen? Then you are screwed through no fault of your own.

With Digital ID, it goes like this:

  • Your digital ID provider already knows who you are because it has all your identity documents. A digital ID provider can be a private-sector company (e.g. Australia Post, EFTPOS, Pharmacy ID) or a government entity (e.g. MyGovID).
  • Before purchasing, the alcohol website will redirect you to the digital ID provider of your choice.
  • You authenticate yourself to your digital ID provider. It can be a facial recognition scan on your mobile device, Touch ID or Face ID on your iPhone, password, or whatever.
  • Your digital ID provider will then, with your permission, pass on some personal information about you to the alcohol e-commerce website. In this example, your digital ID provider will inform the website that you are above 18. The crucial thing to understand is that no other information needs to be passed on to the website.
  • The website, after being assured by your digital ID provider that you are above 18, proceeds with the online purchase order.

With Digital ID, this is more secure. There is no need for the alcohol e-commerce website to collect and store your identity documents on their system to be potentially raided by hackers.

Arguably, it is more private.

Your identity documents can show a lot more information not needed by the website to do its business. For example, address, photo, date of birth, and so on. Using Digital ID, the website only knows that you are above 18 and nothing more.

In other words, identity documents are an all-or-nothing approach. You either risk all your personal information in the identity document or you risk nothing (by declining to use the service). The Digital ID approach allows for more selective exposure of your personal information. In the above-mentioned example, the website only knows that you are above 18. It does not know anything else about you.

What is the fear of Digital ID?

Privacy

The privacy problem of Digital ID is the same as the OAuth. It knows when and which businesses and organisations need to have your identity verified. As society becomes more and more dependent on Digital ID, your digital ID provider will know more and more about you.

For example, each time you visit an alcohol retail store, instead of showing your driver’s license, you verify your identity through your digital ID provider. The alcohol retail store staff will not see your driver’s license, which means he/she will not be able to know your home address or date of birth. That is good for privacy. But your digital ID provider will know that you bought something at which alcohol retail store at a certain time. That is bad for privacy.

There is also another privacy advantage of the old-fashioned way (of showing or submitting your identity documents): No third-party entity needs to know when your identity is verified. For example:

  • When you show your driver’s license to your alcohol retail store, that’s between you and the store. 
  • When you submit your identity documents to your employer, that is between you and your employer.

No third-party entity (i.e. digital ID provider) will know whenever it happens.

Cybersecurity

Since your digital ID provider is the custodian of your identity documents (which are usually government-issued), they need to be extremely secure. If the digital ID provider gets hacked, the outcome will be catastrophic.

In essence, the Digital ID Bill transfers the cybersecurity risk from a multitude of organisations and businesses (e.g. your neighbourhood real-estate agency, RSL clubs, local alcohol shops, job agencies, banks, and telcos) to a single digital ID provider.

You can argue that cybersecurity risk becomes an all-eggs-in-one-basket risk. That is why the Digital ID Bill includes an accreditation for digital ID providers to regulate digital ID providers. Not any private businesses can become a digital ID provider unless they go through the hops and work to ensure that they are compliant in terms of cybersecurity.

Privacy creep

The existing list of organisations and businesses that need to verify your identity is not controversial. For example, government departments, banks, telcos, financial services providers, educational institutions, and so on, need to verify your identity to comply with legal obligations.

What if in future, through additional government legislation, more organisations and businesses are included? For example,

  • Dating websites need to verify the identity of their customers.
  • Porn websites need to verify the age of their users.

With the Digital ID Bill, the easiest way for these organisations and businesses to comply is to do it through accredited digital ID providers. No organisations or businesses want to have the burden of storing identity documents on their system. Not all users and customers feel comfortable about handing out their identity documents to them.

I am not a legal expert here. But when Senator Gallagher said that digital ID is “voluntary”, does it mean that businesses and organisations that need to verify identities are also required to do so the old-fashioned way (i.e. collecting identity documents) for people who do not wish to use a digital ID provider? Or they are allowed to provide only ONE WAY to verify identity through a digital ID provider (i.e. choose NOT to verify identity by collecting identity documents)?

As more and more businesses and organisations use digital ID providers, it becomes a ‘privacy creep’ where the latter knows more and more about its users.

Finally

In this, I have laid out the advantages and disadvantages of the Digital ID Bill in terms of cybersecurity and privacy. While I like the cybersecurity advantages of it, I have some privacy concerns.

divider

DON'T GET HACKED!

divider

Related Post

Signal

What are the controversies with the Signal messaging app?

Facebook

How to use a secret tool to delete Meta’s shadow profile of you?

Facebook app tracking

Can Facebook/Google still track you even if you turn on App Tracking Transparency (ATT)?

Facial recognition

How to defeat facial recognition technology

Is WhatsApp's encryption bypassed

Is WhatsApp’s encryption bypassed?

Can Facebook still listen in to your conversations today

Can Facebook still listen in to your conversations today?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from iSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading