In a world promising self-driving cars and artificial general intelligence, the prospect of a new form of digital identity verification can feel … less than exciting.
And yet digital identity is about to be unleashed in Australia and around the world. In 2024, many years before most of us experience the joy of commuting in our fully autonomous car, new forms of digital ID will profoundly change how we engage with government and business. For example, digital ID may remove the pain of handing over physical copies of your driver’s licence, passport and birth certificate when renewing your Working with Children Check or setting up a new bank account.
How can we gain the benefits of digital ID – convenience, efficiency, lower risk of cybercrime – while minimising the attendant risks, such as privacy leaks, data misuse, and reduced trust in government?
In a new paper released today by the Human Technology Institute, we propose legal and policy guardrails to improve user safeguards and build community trust for the rollout of digital ID in New South Wales. While the paper focuses on NSW, it contains ten principles to support the development of any safe, reliable and responsible digital identity system.
Across Australia, governments are kickstarting digital identity initiatives
Some forms of digital identification already operate in Australia at scale. For example, the Document Verification Service was introduced as early as 2009 to automate checking of important documents such as passports.
Last year this service was used more than 140 million times by roughly 2,700 government and private sector organisations. A limited form of facial verification technology was used well over a million times.
A key problem, however, is that Australia has not had an effective legal framework to govern even the existing digital ID system. This is starting to change.
In June this year, the federal government released a national strategy for digital identity resilience. In its final sittings for 2023, the Australian Parliament passed the Identity Verification Services Bill 2023, which provides some important protections for privacy and other rights.
Also in December, the government proposed a second law, the Digital ID Bill 2023. This bill would provide rules for a major expansion of Australia’s system of digital identification.
Notwithstanding this recent flurry of activity in the federal government, NSW has long been Australia’s leading jurisdiction in this area. It announced its Digital ID program in April 2022 and has quietly worked to put in place the key elements of what could become a world-leading digital ID system, with strong community safeguards.
What is a ‘digital identity’, and what are the risks?
The technologies at the heart of digital ID are powerful and carry risks.
In particular, facial verification technology matches an individual’s face data against a recorded reference image. It may also incorporate “liveness detection”, which checks that the face to be verified belongs to a genuine individual requesting a service in real time (as opposed to a photograph, for example).
NSW’s digital identity initiative uses both these technologies.
Overall, digital identity should mean less of our personal information is collected and used by third parties. For example, when someone enters a pub and a bouncer asks for ID, the only information the bouncer needs to know is that the patron is over 18. The bouncer doesn’t need other personal information on their licence, such as their address or organ donor status.
Good design and regulation would ensure the digital ID service can verify someone’s age without disclosing other sensitive data.
On the other hand, these technologies use sensitive personal information and this brings risks when they are used to make decisions that affect people’s rights. Errors may result in an individual being denied an essential government service.
Because a digital ID system would by its nature collect sensitive personal information, it also poses risks of identity fraud or hacking of personal information.
Making digital ID safe
There must be robust safeguards in place to address these risks.
Accountable digital identity systems should be voluntary, not compulsory. They need to ensure citizens have options for choice and consent, and should be usable and accessible for everyone.
Digital ID also needs to be safe. It should protect the sensitive personal information of users and make sure this data is not used for other, unintended purposes like law enforcement.
To achieve these aims, we recommend that NSW Digital ID be grounded in legislation that enshrines:
- user protections, including providing for privacy and data security of all users
- performance standards, ensuring that digital identity performs to a high standard of accuracy and be fit for purpose, with public reporting by the responsible government agency or department on relevant independent benchmarking and technical standards compliance
- oversight and accountability, with both internal and external monitoring, and clear redress mechanisms
- interoperability with other government systems.
These principles are not specific to NSW. They are relevant and transferable to other jurisdictions looking to develop digital identity systems.
Whether Australia’s digital identity transformation is a success depends on how digital identity systems are established in law and practice. It is crucial that robust governance mechanisms are in place to ensure digital identity systems are safe, secure and accountable. Only then will Australians embrace and trust the digital transformation that is afoot.
Source: The Conversation