Maat's Method

Maat's Method Logo

The Digital ID Bill 2023

Digital identity legislation is being considered, passed and implemented all over the world. Singapore, Nigeria, India, Sweden and Belgium all already have digital identity frameworks implemented. Estonia has already had digital ID in place for 20 years!

Australian politicians are obedient followers, if nothing else, and they are doing their absolute best to catch up.

I have recently spent quite a bit of time reading through and reviewing the Australian Digital ID Bill 2023 (the Bill). Most of the readers of this article will know that, as a general rule, I am quite sceptical of Government. I would be lying if I said I didn’t read the Bill through the framing of ‘how could this be abused?’, as opposed to, ‘how could this help us?’. This article, therefore, focuses on the former question. For the latter question, there is already plenty of Government spin out there.

I don’t apologise for that kind of sceptical reading. I instead think that it is both appropriate and necessary in circumstances where, like here, the Government is proposing an expansion of their scope of power via legislation that we the people will be subject to. Historically, again and again and again, it is Governments who have been responsible for breaching and diluting the rights of human beings. And here, we are considering trusting Government with our most personal and sensitive information.

So, what does the Bill propose?

And, could it be abused?

This article covers the following:

1.     A bit of background for my scepticism;

2.     A summary of what the Bill seeks to do; and

3.     Could the Bill, and the framework it seeks to set up, be abused?

Some Background for my Scepticism

Australia’s Digital Transformation Agency, a Government agency tasked with “driving and securing the Australian Government’s investment in Australia’s digital future”, is the Chair of the “Digital Government Exchange Digital Working Group” (the Working Group). The Working Group, which is comprised of eight member nations (Australia, Canada, Finland, Israel, New Zealand, Singapore, the Netherlands, and the United Kingdom), released a report in 2021 titled “Digital Identity in response to Covid-19”.  It is caliginous reading.

Among other things, the report advocates for open sharing of citizens’ personal information across borders, and the global centralisation of digital identity operating systems to achieve this. As an example of what this kind of global digital identity network could achieve, the report refers to “strong, mutually recognised and trusted vaccination certificates to enable safer cross-border movement”.

Of course, this approach aligns neatly with the framework currently being proposed by the World Health Organisation[1] in its frantic re-write of the International Health Regulations, which proposes to implement digital health certificates as a requirement for travel.

Given my vehement opposition to the restriction of movement on the basis of medical status, and particularly on the basis of whether one has chosen to inject their body with the latest pharmaceutical money spinner, you will understand that I read the Bill with the above firmly in mind.

A (non-biased) Summary of what the Bill seeks to do

I must start by saying, the Bill is quite convoluted. The reason for this stems partly from the fact that Australia already has a digital identity framework in place, and the Bill is essentially seeking to update and formalise that framework, as opposed to inventing a new one.

In brief, the Bill does the following:

Accreditation Scheme

The first thing the Bill does is to set up an accreditation scheme, which gives the ACCC the responsibility of deciding whether to accredit entities who want to participate in the digital identity framework. Accredited entities can register as one of the following:

a.     ‘Identity service providers’, which allow individuals to set up and manage their digital identities (such as ‘myGovID’);

b.     ‘Attribute service providers’, which verify specific attributes or characteristics of an individual (such as age or qualification); and

c.     ‘Identity exchange providers’, which transfer information between identity service providers and attribute service providers.

The accreditation scheme is not limited to government entities. It is instead intended to operate economy wide, with private sector agencies and companies invited to participate.

Additional Privacy Requirements

The Bill implements additional privacy requirements that are additional to those already required by the Privacy Act 1988 (Cth). There are several rules in place to protect personal information, including limitations on the gathering, usage, and distribution of biometric data and other personal information. There is also a requirement to erase biometric data immediately following verification, and restrictions on using data profiling to track online behaviour or for marketing purposes.

Updating the Australian Government Digital ID System

The Australian Government Digital ID System, or AGDIS, is already in place. The new Bill makes a number of updates to that system. In particular it;

a.     Makes the ACCC the initial Digital ID Regulator, who is responsible for accreditation and enforcing compliance;

b.     Creates new powers for the Minister, including issuing directions to the Regulator in relation to accreditation and participation in the AGDIS.

In terms of how digital ID would actually work, a member of the public would download an app for their smartphone, which requires either fingerprint or faceprint (or some other biometric ID) to be unlocked. To prove their identity to a participating entity, the individual would log into the organisation’s website or app and select MyGovID as their verification method (as opposed to providing 100 points of ID in the form of birth certificates, passports, drivers’ licences, etc). The individual would then log into their MyGovID app and give consent for their identity to be verified with the organisation.

Could the Bill, and the framework it seeks to set up, be abused?

Is it voluntary?

This is, of course, the key question, and the Government knows it. The Bill goes to quite some length to advertise voluntariness within it. Even the objects of the Bill, which is a key section of any statute and the first place a Court will look if there is any dispute as to the intention of a law, places the word “voluntary” front and centre:

3  Objects

(1)              The objects of this Act are as follows:

         (a)              to provide individuals with secure, convenient, voluntary and inclusive ways to verify their identity in online transactions with government and businesses;

In addition;

a.     The accreditation scheme (for businesses and entities that want to apply to accept people’s digital IDs is also voluntary (see Section 14); and

b.     ‘Identity Service Providers’ (such as MyGovID) must deactivate an individual’s digital ID on request (see Section 29).

But, when it comes to voluntariness, the primary question is whether, despite technically being voluntary, an individual might be forced to engage in using a digital ID in order to access particular services. Ie; could a situation arise where it’s not compulsory to have a digital ID, but if you want to visit and use a bank you must have a digital ID?

(Sort of like, it’s not compulsory to be vaccinated, but if you want to retain your freedom of movement, you must be – see paragraph 9 of this Judgment for the Supreme Court of NSW’s use of this reasoning).

So, does the Bill employ this kind of semantic sophistry? We find our answer in Section 74, which I will copy below with some of my own commentary [in brackets]:

74  Creating and using a digital ID is voluntary

Creating and using a digital ID is voluntary

(1)                     A participating relying party must not, as a condition of providing a service or access to a service, require an individual to create or use a digital ID.

[Okay].

Exceptions [uh oh]

(2)              Subsection (1) does not apply to a service of a participating relying party if:

         (a)              the service provides access to another service; and

         (b)              the individual can access the other service without creating or using a digital ID through the Australian Government Digital ID System.

[Okay]

Example:  To open a bank account, ABC Bank requires new customers to verify their identity. ABC Bank allows customers to do this in person at each branch of ABC Bank or alternatively by using the bank’s online application service, which requires the use of a digital ID. Jacob wants to open a bank account with ABC Bank but he does not wish to use his digital ID to do so. Because Jacob can verify his identity by going to his nearest branch instead, ABC Bank does not contravene subsection (1).

[Okay]

(3)              Subsection (1) does not apply if:

         (a)              the participating relying party is providing a service, or access to a service, to an individual who is acting on behalf of another entity in a professional or business capacity; or

         (b)              the participating relying party holds an exemption under subsection (4).

                           [Well, we better look carefully at these exemptions…]

Exemptions

(4)              Subject to subsection (6), the Digital ID Regulator may, on application by a participating relying party, grant an exemption under this subsection to the participating relying party if the Digital ID Regulator is satisfied that it is appropriate to do so.

Note:     See Part 5 of Chapter 9 for matters relating to applications.

[Bad, bad, bad!]

Well, there it is…just when I was thinking, ‘hmm, this is nowhere near as bad as the Misinformation Bill!’, the same kind of open, unfettered discretion that infected that Bill rears its ugly head. Pursuant to this Section, the Regulator can exempt a party from the “voluntary” aspect of Digital ID if it “is satisfied that it is appropriate to do so”. This kind of open discretion, apart from being totally unjustified, is never a good idea. It is too apt for abuse by either a rogue Government or a rogue Government Minister. And, in this case, it means that the Australian Government Digital Identity Scheme is not actually voluntary. At the very least, the regulator (currently the ACCC) can make it compulsory for the access of particular services at any time they choose, for any reason.

The only entities that the Regulator can not grant such an exemption to are Commonwealth entities and agencies within the meaning of the Freedom of Information Act 1982.

State and Territory Government services? No problem. Private companies? No problem. Banks? No problem. Shopping centres? Fine. If the Regulator chooses, they can grant any of one of these businesses permission to make a digital ID the only way their services can be accessed, which in effect, will make the use of digital ID mandatory. Not good; particularly if you’re sceptical of Government, like me (it would certainly make it easier to restrict people from shopping the next time transnational pharmaceutical corporations want to make some quick trillions. But I digress).

I would like to highlight a few further issues with the Bill.

Could citizens’ personal information be shared without their consent?

As a general rule, police in Australia will not have a copy of a citizen’s biometric ID (such as a fingerprint) unless they have been convicted of a crime. The Bill could change that, because Section 49 allows an accredited entity (an entity that holds your biometric ID for the purposes of identifying you under the scheme) to disclose your biometric information to a law enforcement agency if a warrant is issued for that information. This means that an important layer of protection, being the fact that police simply don’t have ready access to everybody’s digital IDs because the only place to access it is from the individual, is being removed, and we will likely see many applications for access to such information made by Police.

Section 54 is also loosely drafted, allowing entities to share “personal information” (but not biometric information) about an individual in a number of circumstances. Of these, the most worrying is that “at the time the information is used or disclosed, the accredited entity is satisfied that … proceedings [have commenced] against a person for an offence against a law of the Commonwealth, a State or a Territory”. This means that if proceedings are commenced against you, even if you have not yet been convicted of anything, an entity is allowed to share your personal information.

Section 49 allows entities to share information for the purposes of testing, without specifying the types of testing allowed, whilst Section 65 allows the Regulator (the ACCC) to authorise the sharing of “restricted attributes”, subject to some considerations. What are restricted attributes? Among other things, health information and criminal record.

Security Issues and Surveillance

It was only in 2020 that security researchers recommended that Australians don’t use MyGovID due to its vulnerable security framework. Remarkably, the ATO refused to address the issue.

The Government doesn’t exactly have a solid track record when it comes to security in general, with approximately 60 reported breaches per annum, as of 2022.

The centralisation of digital ID within a uniform system would present what is sometimes called a ‘honeypot’ to hackers – a one stop shop for the sensitive identity information for everybody in Australia. That’ll reduce their workload significantly – they’ll only need to get past one set of security protocols, set up by a mob who have already proven themselves incompetent.

The Australian Government has been making steady changes to legislation since 2001 to increase its surveillance powers under the guise of counter-terrorism. The Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 allows for location tracking and the tracking and storage of interactions between individuals and both public and private organizations. The proposed scheme aims to link all personal information, granting the federal government complete oversight of citizens’ lives.

Conclusion

The Digital ID Bill 2023 is the latest example in a long line of legislative attempts to expand government control at the expense of individual autonomy and self-determination. The proposed framework, while potentially convenient in terms of streamlining government services, has no effective checks and balances, raises serious risks around privacy and seems to almost actively facilitate the potential for abuse. Given the Australian Government’s track record of breaching and diluting human rights, as well as its involvement in the global centralisation of digital identity operating systems, it is reasonable to surmise that the scheme may be used in a manner conducive to the interests of Government, as opposed to the interests of the public.

[1] It is important to note that the World Health Organisation receives a majority of its funding from the pharmaceutical industry, and other interested agencies such as the Bill and Melinda Gates Foundation.