Australia’s innovative digital ID system is poised to revolutionize our daily interactions with essential services. By consolidating critical documents, such as driver’s licences and Medicare cards, into a unified digital wallet, Australians will find it significantly easier to navigate an array of services without the cumbersome management of physical documents.
The federal government is actively working on this system, with a pilot expected to run in the upcoming year. Dubbed the “Trust Exchange”, this initiative is part of the broader Trusted Digital Identity Framework, which aims to facilitate secure identity verification using advanced digital tokens.
Earlier this year, in a speech to the National Press Club in Canberra, Federal Minister for Government Services Bill Shorten championed the new digital ID system as “world leading.” However, concerns linger regarding privacy issues, particularly when measured against international standards, such as those established by the European Union.
What is Trust Exchange?
Trust Exchange – or TEx – is engineered to streamline the online authentication process for individuals. It will operate synergistically with the myID platform (formerly myGovID), enabling Australians to securely store and manage their digital identity documents within a single interface.
The platform is designed to ensure both security and user-friendliness. Users will be empowered to access a spectrum of services, from banking to various government applications, without the hassle of handling multiple pieces of paperwork.
Essentially, the system acts as a mechanism for proving identity while allowing individuals to share pertinent information—like age, visa status, or licence numbers—without the need to present physical documents or divulge excessive personal details.
For instance, instead of revealing your entire driver’s licence just to verify your age at an establishment, you could employ a digital token that simply confirms, “Yes, this person is over 18.”
Falling short of global standards
The World Wide Web Consortium establishes global benchmarks for digital identity management. These standards advocate that individuals should only share the minimum necessary information, maintaining control over their digital identities without depending on central authorities.
The European Union’s digital identity regulation expands on these principles, creating a secure and privacy-centric framework for digital identities among its member states. It is decentralised, granting users complete control over their credentials.
However, Australia’s digital ID system, in its proposed form, does not meet these critical global standards on multiple fronts.
First, it follows a centralised model. All aspects of the system will be overseen, managed, and stored by a singular government agency. This centralization heightens vulnerability to data breaches and restricts users’ autonomy over their digital identities.
Second, the system fails to adhere to the World Wide Web Consortium’s established verifiable credentials standards. These standards are intended to allow users the ability to selectively disclose data points, such as proof of age, while only providing the absolute minimum information necessary for service access.
Consequently, there exists an increased risk of unintentional over-disclosure of personal information.
Third, global standards stress the importance of mitigating “linkability.” This concept ensures that users’ interactions across different services remain separate, thus inhibiting data aggregation.
Conversely, the token-based architecture of Australia’s digital ID system raises concerns that service providers could potentially track users across various platforms and compile behavioral profiles. The EU’s framework, in stark contrast, incorporates explicit measures to prevent such tracking unless expressly permitted by the user.
Finally, the Australian framework lacks the strict regulations seen in the EU, which mandate clear consent for the collection and processing of sensitive biometric data, including facial recognition and fingerprints.
Filling the gaps
It is crucial for the federal government to remediate these shortcomings to ensure the viability of its digital ID system. Our award-winning research suggests viable pathways for improvement.
The digital ID framework ought to simplify the verification process by automating the selection of an optimal, diverse set of credentials tailored for each verification scenario.
This approach will curtail the potential for user profiling by preventing any single credential from becoming closely associated with a particular service. It will also mitigate the risk of an individual being “singled out” for utilizing a less common credential, such as an overseas driver’s licence.
Most importantly, it will enhance user experience throughout the system.
The infrastructure should also be decentralised, akin to the EU framework, granting users robust control over their digital identities. This mitigates risks associated with centralised data breaches and ensures individuals do not need to rely solely on a single government entity for credential management.
While Australia’s digital ID system represents a progressive step towards improved convenience and security in everyday transactions, it is imperative for the government to bridge the existing gaps to achieve a balanced approach to privacy and security for all Australians.
