Friday, 19 October 2018 05:09

DTA, cyber expert at odds over GovPass analysis Featured

DTA, cyber expert at odds over GovPass analysis Pixabay

The author of a detailed analysis on the Federal Government's proposed identity scheme, GovPass — a trial of which is scheduled to begin this month — says he worked closely with the Digital Transformation Agency while preparing it, but ultimately disagreed with the agency on its implications.

Fergus Hanson's report "Preventing another Australia Card fail" appears to have riled up the DTA which issued a long note of protest on Thursday evening, citing what it claimed were mistakes and incorrect conclusions.

But Hanson, the head of the International Cyber Policy Centre at the Australia Strategic Policy Institute, told iTWire that he had worked closely with the DTA, the Ministry of Home Affairs and Australia Post to write his detailed analysis.

"They [DTA, Home Affairs and Australia Post] had the opportunity to review multiple drafts," he said. "In the end, there were some disagreements with DTA over the implications of the scheme. I heard what they said, but ultimately disagreed with their assessments."

Briefly put, his write-up criticised the creation of two systems for identity verification — the Australia Post system known as Digital iD and the DTA-managed GovPass — neither of which was governed by dedicated legislation.

Hanson said that the DTA had done a poor job of telling the public about the safeguards — if any — to guard against such schemes hoovering up too much data and preventing "a Western version of China’s ‘social credit’ scheme emerging".

Another key point Hanson made was that there was a danger of conflating two biometric services – the Face Verification Service, used for digital identity, and the law enforcement biometric enabler, the Face Identification Service.

"The FIS lacks adequate safeguards and in its current form is likely to attract public opposition far exceeding that directed towards the My Health Record scheme," he commented in his paper.

The DTA statement, attributed to its media team, made a blank assertion: "The report was inaccurate and contained many factual errors. It was not an informed or objective appraisal of the program." But thereafter, the statement did not provide detail to back this up; it appears that some of Hanson's characterisations got up the noses of people at the agency.

"The association of China’s social credit system and the Australia Card with Australia’s new digital identity program has no basis," DTA said. "Nor do claims that private sector companies will be able to harvest user data. These demonstrate a clear misunderstanding of how the digital identity system is intended to work."

And it added: "Another key assertion is that two digital identity systems are being built, which will compete against each other. This is incorrect. The digital identity federated model allows for multiple identity providers, but only one system. This means people using the system will be able to choose to set up their digital identity with their provider of choice."

A third objection was: "The digital identity program will not issue identifiers or cards. It will use a ‘double blind’ architecture where the identity exchange sits between the digital service and the identity provider. This protects a person’s identity by making sure that no identity provider can see the services being accessed, and services cannot see the personal information from the identity provider."

Hanson told iTWire: "My point was not that GovPass would create a honey pot of data that could be on-sold as part of a social credit scheme. The DTA scheme actually has good protections to prevent this.

"The point I make is that the scheme lacks controls that would prevent those who use it from harnessing the scheme to build verified profiles of Australians. Australia Post's scheme also allows this. That's why they both need to be brought under legislative oversight."

He said the schemes would compete against each other, DTA's protestations notwithstanding.

"DTA claims they won't compete because Australia Post is considering joining their scheme as an identity provider. Australia Post is considering this, but there will still be two separate schemes — GovPass and Digital iD — that will compete against each other and both of which taxpayers funded," he said.

Hanson has suggested the following changes to the ID schemes:

  • Accompany the introduction of digital identity with an overhaul of online citizens’ and consumers’ rights.
  • Communicate with the public about the schemes and the accompanying rights overhaul.
  • Place both Digital iD and GovPass under legislative oversight and protect both schemes from overreach. Expressly prohibit ‘social credit’ schemes that are facilitated by government-enabled digital identity checking.
  • Explore options to join the schemes.
  • Apply stricter and clear limits on the use of biometrics at the federal, state and territory levels.
  • Establish a national taskforce.

DTA had tied up with ASD-certified cloud provider Vault (formerly Vault Systems) to provide cloud services for the GovPass trial but then abruptly terminated the arrangement.

The agency then tied up with Microsoft's Azure cloud for its own corporate use, but has so far made no announcement as to who would provide the cloud services for the GovPass trial which is being run jointly by the Australian Taxation Office and the Department of Human Services.

Read 3720 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News