Government smart wallet won’t work without overhaul: digital expert

This will dash hopes by state and federal ministers to use the proposed digital identity system to enable secure “click to prove” functionality similar to that of smart wallets.

Business will also have to keep the records, making them honey pots for cybercriminals. Optus and Medibank were hacked last year.

Mr Wilson said this was also likely to stymie hopes to bring business into the new digital identity regime, frustrating efforts to securely link public and private services such as around the birth of a child or changing a name.

Mr Wilson has been highly influential in the embrace of verifiable digital credentials by state and federal digital ministers. Verifiable credentials are a digital way for a person to prove information about their identity or qualifications.

He said both the regulatory arrangement around identity (known as the Trusted Digital Identity Framework or TDIF) and the Tax Office-operated myGovID needed to be updated to recognise the market shift to smart wallets and verifiable credentials.

“There’s two really important pieces of tech debt [out of date technology]. “One of them is TDIF and the other is myGovID. They were born of a different time, they’re intellectually 10 years old, and they don’t accommodate the modern idea of verifiable credentials or data signing,” he said.

“They’re silent on cryptographic standards. What I’m talking about is the same standards that banks use in chip cards and smartphone wallets.”

He said myGovID was “a single sign-on to federal services, using no cryptography”.

“It’s just a shared secret, with no ability to sign documents or prove possession of the credential. It’s just not of modern standard for protecting people online.”

Apple and Google had consumerised defence-grade cryptography so it was seamless for people to double-click to pay.

“You double-click to pay and that’s what we need for myGovID. You need to be able to double-click to present if you’ve got a Medicare number, or a driver’s licence in your phone.”

An ATO spokeswoman confirmed the myGovID service does not currently support verifiable credentials. The policy issue is being dealt with by a new identity taskforce in Finance Minister Katy Gallagher’s department.

Mr Wilson expressed scepticism about business embracing the national digital identity system being promoted by federal and state governments, arguing it would take years for banks, telcos and utilities to move away from their current trusted ways of verifying identity.

Rampant oversharing

Senator Gallagher said last week she was hoping to have the first phase of a working digital identity system operating for governments by mid next year.

She also committed to the phasing in of an economy-wide system that business and community groups could rely on as a way of stopping the rampant oversharing of sensitive personal information.

“Various well-meaning and well-funded projects have tried to tackle this problem for nearly a quarter of a century,” Mr Wilson said.

“None have succeeded. Experience has already shown that creating a large-scale digital identity is much harder than it looks.”

National digital IDs tended to work only in countries that already had national IDs, such as Singapore and Estonia.

“But in Australia, a national ID is unprecedented. The same goes for most comparable economies, including the other common-law countries,” Mr Wilson said.

Flexible system

“While Australia’s identification processes are uneven or fragmented, they are also flexible. A new centrally administered digital ID will be more rigid.”

Mr Wilson said businesses had been reluctant to rely on the authentication of incoming customers by third-party “identity providers” such as Australia Post’s Digital ID.

“The banks have never had a chance to look at that [the new digital identity system]. There’s no precedent, there’s no legal experience.”

“There are special cases where identification by post offices is accepted by banks for certain narrowly defined purposes, such as certain Know Your Customer (KYC) checks, but these cases have been difficult if not impossible to broaden to general-purpose identifications.”

“I don’t know of any pathway that takes the meaning of myGov ID out to business where businesses can consume it, understand it and rely on it.”

Mr Wilson said it was a mistake to describe it as a digital identity system.

“When you immerse yourself with the digital identity industry, you’ll find a shocking level of disagreement about what digital identity is. And I think that level of disagreement gets worse over time and more chaotic. So it’s a diabolical area.

“Identity is so emotional. It’s the stuff of psychology and Freud. And when you go and put digital in the front of it, it doesn’t help.”

Mr Wilson said this caused people to think the new system was about establishing a new Australia card identity number, rather than a system of identification.

He said the aim of the new system should be about ensuring the fidelity and progeny of the data about people and not the person themselves.

He pointed to a recent expert round table run by NAB.

“Individuals rarely need to prove their identity. Rather, in most cases, they need to prove they possess an attribute for a particular purpose (i.e. I am over 18 years old and therefore legally allowed to purchase alcohol, or I am a licensed fisher person and entitled to fish in these waters),” the cross-disciplinary NAB group noted.

“The concepts of ‘digital identity’ and ‘digital identification’ are often conflated, causing confusion,” the group said.

“We don’t have an identity problem,” Mr Wilson said.

“We have a data problem. To improve identification processes, we should improve the data that goes into them, not invent brand new types of data.”