Edward Santow, University of Technology Sydney; Lauren Perry, University of Technology Sydney, and Sophie Farthing, University of Technology Sydney
In a world promising self-driving cars and artificial general intelligence, the prospect of a new form of digital identity verification can feel … less than exciting.
And yet digital identity is about to be unleashed in Australia and around the world. In 2024, many years before most of us experience the joy of commuting in our fully autonomous car, new forms of digital ID will profoundly change how we engage with government and business. For example, digital ID may remove the pain of handing over physical copies of your driver’s licence, passport and birth certificate when renewing your Working with Children Check or setting up a new bank account.
How can we gain the benefits of digital ID – convenience, efficiency, lower risk of cybercrime – while minimising the attendant risks, such as privacy leaks, data misuse, and reduced trust in government?
In a new paper released by the Human Technology Institute, we propose legal and policy guardrails to improve user safeguards and build community trust for the rollout of digital ID in New South Wales. While the paper focuses on NSW, it contains 10 principles to support the development of any safe, reliable and responsible digital identity system.
Across Australia, governments are kickstarting digital identity initiatives
Some forms of digital identification already operate in Australia at scale. For example, the Document Verification Service was introduced as early as 2009 to automate checking of important documents such as passports.
Last year, this service was used more than 140 million times by roughly 2700 government and private sector organisations. A limited form of facial verification technology was used well over a million times.
A key problem, however, is that Australia has not had an effective legal framework to govern even the existing digital ID system. This is starting to change.
In June this year, the federal government released a national strategy for digital identity resilience. In its final sittings for 2023, the Australian Parliament passed the Identity Verification Services Bill 2023, which provides some important protections for privacy and other rights.
Also in December, the government proposed a second law, the Digital ID Bill 2023. This bill would provide rules for a major expansion of Australia’s system of digital identification.
Notwithstanding this recent flurry of activity in the federal government, NSW has long been Australia’s leading jurisdiction in this area. It announced its Digital ID program in April 2022 and has quietly worked to put in place the key elements of what could become a world-leading digital ID system, with strong community safeguards.
What is a ‘digital identity’, and what are the risks?
The technologies at the heart of digital ID are powerful and carry risks.
In particular, facial verification technology matches an individual’s face data against a recorded reference image. It may also incorporate ‘liveness detection’, which checks that the face to be verified belongs to a genuine individual requesting a service in real time (as opposed to a photograph, for example).
NSW’s digital identity initiative uses both these technologies.
Overall, digital identity should mean less of our personal information is collected and used by third parties. For example, when someone enters a pub and a bouncer asks for ID, the only information the bouncer needs to know is that the patron is over 18. The bouncer doesn’t need other personal information on their licence, such as their address or organ donor status.
Good design and regulation would ensure the digital ID service can verify someone’s age without disclosing other sensitive data.
On the other hand, these technologies use sensitive personal information and this brings risks when they are used to make decisions that affect people’s rights. Errors may result in an individual being denied an essential government service.
Because a digital ID system would by its nature collect sensitive personal information, it also poses risks of identity fraud or hacking of personal information.
Making digital ID safe
There must be robust safeguards in place to address these risks.
Accountable digital identity systems should be voluntary, not compulsory. They need to ensure citizens have options for choice and consent, and should be usable and accessible for everyone.
Digital ID also needs to be safe. It should protect the sensitive personal information of users and make sure this data is not used for other, unintended purposes like law enforcement.
To achieve these aims, we recommend that NSW Digital ID be grounded in legislation that enshrines:
- user protections, including providing for privacy and data security of all users
- performance standards, ensuring that digital identity performs to a high standard of accuracy and be fit for purpose, with public reporting by the responsible government agency or department on relevant independent benchmarking and technical standards compliance
- oversight and accountability, with both internal and external monitoring, and clear redress mechanisms
- interoperability with other government systems.
These principles are not specific to NSW. They are relevant and transferable to other jurisdictions looking to develop digital identity systems.
Whether Australia’s digital identity transformation is a success depends on how digital identity systems are established in law and practice. It is crucial that robust governance mechanisms are in place to ensure digital identity systems are safe, secure and accountable. Only then will Australians embrace and trust the digital transformation that is afoot.
Have you been following the development of digital IDs? Are you confident the system will be safe? Share your thoughts in the comments section below.
HTI’s work to develop independent expert advice outlining a governance framework and training strategy for NSW Digital ID was funded by a James Martin Institute Policy Challenge Grant.
Edward Santow, Professor & Co-Director, Human Technology Institute, University of Technology Sydney; Lauren Perry, Responsible Technology Policy Specialist – Human Technology Institute, University of Technology Sydney, and Sophie Farthing, Head, Policy Lab, Human Technology Institute, University of Technology Sydney
This article is republished from The Conversation under a Creative Commons licence. Read the original article.
What a great idea. Place every item of your existence on the World Wide Web, the hackers must be popping champagne corks. I’m all for technology IN ITS PLACE. Everything these days is for convenience and damn the consequences, that’s why so many people are being ripped off, apart from their stupidity. If people got off their back sides, picked up their ID, driver’s license, birth certificate, passport, whatever and physically took it into whatever authority required it for whatever purpose, the World would be a safer place. Today’s motto of near enough is good enough is not acceptable. Jacka.
Facial recognition has its dangers as I discovered recently when logging into my bank account using this method. Up came another members bank account details including amounts in various accounts. After contacting my bank and supplying screen shots of the transactions, I was later informed that the other member had been notified and an investigation was in progress and I’d be advised of the result. I’ve heard nothing since.
That’s gobsmacking Mike. Can you keep us in touch please? Editor@yourlifechoices.com.au
There is no such thing as a SAFE system of any sort, especially the internet. It is a myth perpetuated by people with a self-interest in making money and gaining power from such systems. A truism learnt long ago: whatever man makes, other men can unmake. At best the designer can make it more difficult to unmake. Hackers are not stupid, they can be university academics or employees at computer hardware or software companies. Dr Jeppy.