- There is a heightened concern about the privacy of personal information as we read about another breach or unsolicited sale of identity information.
- We are becoming increasingly uncomfortable with what’s been called ‘object based media’ which tailors our on-line experience and modifies what we read depending on our interests, gleaned from our searches and ‘likes".
- Organisations providing consumer or citizen services seek to improve their user's experience by eliminating username and password logins but at the same time try to gather as much information as possible about their clients.
The two main agencies working in this space are the Department of Human Service (DHS) and the Australian Tax Office (ATO), each following their own paths for their own purposes. The Digital Transformation Office, expanded and renamed The Digital Transformation Agency (DTA) was charged with managing the differences between the two departments and setting policy as to how a common identity management environment was to be deployed. They considered following the UK Verify model but that was eventually dropped. Political pressure made it impossible for an independently developed identity management solution to be deployed. Common wisdom and multiple consultant’s recommendations suggested a federated environment that would incorporate state-based identity providers such as Queensland’s CIDM service and ServiceNSW so that citizens with a registered identity with their state government would be able to use that identity to log onto federal systems.
But DHS won. The MyGov system is a closed authentication environment that requires service providers to register their application on the MyGov platform. While the platform has been opened-up to support other identity provider services, AustPost being the first, there is little incentive to sign up to any other service if you already have a MyGov account. Queensland is already decommitting from CIDM and focussing on the driver licence and 15+ card registrations that will be incorporated into an identity broker framework.
What’s more, the DTA is now working with the National Exchange of Vehicle and Driver Information (NEVDIS), originally established to facilitate cross-state sharing of driver licence and vehicle registration information with law enforcement officials, to allow them to get access to driver licence information. They particularly want access to the photo so that they can reach a level 3 assurance level; something the ATO wants for citizen access to more sensitive services. Driver licence photos are getting better, in Queensland they meet ICAO standards, which facilitates three-factor smartphone authentication as smartphone manufacturers open up their facial recognition technology.
But sharing of photos is a concern for Australians. We provide photos for the purpose of getting a driver licence, not for a central database to be used for other purposes to which we have not consented. This contravenes Australian privacy legislation.
Facial recognition simply needs a facial (visage) template that measures information such as the distance between the eyes, width and length of the nose, the mouth position and chin shape. This enables facial recognition but not image reconstruction. It’s also a lot less data to transmit and store. It is hoped that this is all that get's contributed to the DTA. It could be argued that since a template is a derivation of the photo it's not captured under privacy legislation.
So – it’s good that the federal government is finally moving ahead with an on-line authentication service, it’s just too bad it’s not a truly federated system, it requires service providers to be exposed via the MyGov environment and it’s hoped that the driver licence application process will soon close the "consent" objection to sharing visage objects.Oh – on the topic of privacy, Australia has some of the best privacy legislation. It’s a shame the Australian Office of the Information Commissioner (AOIC) has not been funded to investigate and prosecute the many organisations flagrantly abusing consumer privacy every day. We are continually asked for more information than is necessary for the services we’re requesting, and organisations are not deleting information when they can’t be bothered to update it. And most Australian organisations are not capable of responding to a person’s request for access to their data and requests to correct errors (required under the legislation).
Many company privacy policy statements, a requirement under the legislation, are very poor and the number of breaches, with notification finally a legislated requirement, indicates that companies are not safeguarding the data they keep on us.
It’s also a shame that the Attorney Generals Department has not moved ahead with the Cross-Border Privacy Rules (CBPR). We need to plug-and-play in Asia yet we spend more time on Europe’s General Data Privacy Regulation (GDPR). Now GDPR is the gold-standard when it comes to privacy practices, but Asia consists of sovereign states that each set their own privacy regulation, nothing like Europe’s nation states that adhere to a common regulation. Again, AOIC’s role in CBPR needs funding.
So it’s a mixed report card for Australia; we’ve done some things right, we’re finally going to have an authentication system to access federal government services. It’s too bad that I must setup a MyGov account to do so, I can’t use my QGov account.
But that’s the reality we live with - political factions seem to trump logical decisions.