A national digital ID scheme is being proposed. An expert weighs the pros and (many more) cons
To address such costs, the federal government is proposing a national digital identity scheme that will let people prove their identity without having to share documents such as their passport, drivers licence or Medicare card.
- To address such costs, the federal government is proposing a national digital identity scheme that will let people prove their identity without having to share documents such as their passport, drivers licence or Medicare card.
- Finance Minister Katy Gallagher opened consultations for the draft bill last week, with plans to introduce the legislation to parliament by the end of the year.
What would change?
- The draft bill package includes strong updates to security requirements for how organisations store people’s IDs, as well as the reporting of data breaches and suspected identity fraud.
- In her speech to the Australian Information Industry Association, Gallagher outlined a four-phase rollout.
How would it work?
- To prove your identity to a participating organisation, you would log into the organisation’s website and select MyGovID as your verification method.
- You would then log into your MyGovID app and give consent for your identity to be verified with that organisation.
The upside of the proposal
- The Medibank, Optus and Latitude data breaches of 2022-23 have demonstrated the lack of regulation and enforcement of identity protection legislation in Australia.
- The bill also outlines minimum cybersecurity standards, and requires regular review of organisations dealing with identity data.
Unresolved MyGovID security flaws
- In releasing the draft bill, the government has highlighted a voluntary national digital identity – the MyGovID – which is already being used by more than 6 million Australians and 1.3 million businesses.
- In 2020, security researchers warned the public against using MyGovID due to security flaws in its design.
- According to Webber Insurance, 14 of the 44 recorded data breaches between January to June this year were reported by government authorities.
- More worryingly, the privacy act has a loophole which allows state and government authorities to remain exempt from compulsory data breach reporting.
A honey trap for hackers
- Also, streamlining distributed identification systems in this way will create an irresistible target for hackers.
- In cybersecurity this is called a honeypot, or honey trap.
- Just as honey is irresistible to bears, these data lures are irresistible to hackers.
What can you do?
- However, you don’t have much time to have your say: public submissions are being sought until October 10.
- This extremely short consultation period doesn’t provide much confidence a fit-for-purpose solution will be created.