Fergus Hanson's report "Preventing another Australia Card fail" appears to have riled up the DTA which issued a long note of protest on Thursday evening, citing what it claimed were mistakes and incorrect conclusions.
But Hanson, the head of the International Cyber Policy Centre at the Australia Strategic Policy Institute, told iTWire that he had worked closely with the DTA, the Ministry of Home Affairs and Australia Post to write his detailed analysis.
"They [DTA, Home Affairs and Australia Post] had the opportunity to review multiple drafts," he said. "In the end, there were some disagreements with DTA over the implications of the scheme. I heard what they said, but ultimately disagreed with their assessments."
Hanson said that the DTA had done a poor job of telling the public about the safeguards — if any — to guard against such schemes hoovering up too much data and preventing "a Western version of China’s ‘social credit’ scheme emerging".
Another key point Hanson made was that there was a danger of conflating two biometric services – the Face Verification Service, used for digital identity, and the law enforcement biometric enabler, the Face Identification Service.
"The FIS lacks adequate safeguards and in its current form is likely to attract public opposition far exceeding that directed towards the My Health Record scheme," he commented in his paper.
The DTA statement, attributed to its media team, made a blank assertion: "The report was inaccurate and contained many factual errors. It was not an informed or objective appraisal of the program." But thereafter, the statement did not provide detail to back this up; it appears that some of Hanson's characterisations got up the noses of people at the agency.
"The association of China’s social credit system and the Australia Card with Australia’s new digital identity program has no basis," DTA said. "Nor do claims that private sector companies will be able to harvest user data. These demonstrate a clear misunderstanding of how the digital identity system is intended to work."
And it added: "Another key assertion is that two digital identity systems are being built, which will compete against each other. This is incorrect. The digital identity federated model allows for multiple identity providers, but only one system. This means people using the system will be able to choose to set up their digital identity with their provider of choice."
A third objection was: "The digital identity program will not issue identifiers or cards. It will use a ‘double blind’ architecture where the identity exchange sits between the digital service and the identity provider. This protects a person’s identity by making sure that no identity provider can see the services being accessed, and services cannot see the personal information from the identity provider."
Hanson told iTWire: "My point was not that GovPass would create a honey pot of data that could be on-sold as part of a social credit scheme. The DTA scheme actually has good protections to prevent this.
"The point I make is that the scheme lacks controls that would prevent those who use it from harnessing the scheme to build verified profiles of Australians. Australia Post's scheme also allows this. That's why they both need to be brought under legislative oversight."
He said the schemes would compete against each other, DTA's protestations notwithstanding.
"DTA claims they won't compete because Australia Post is considering joining their scheme as an identity provider. Australia Post is considering this, but there will still be two separate schemes — GovPass and Digital iD — that will compete against each other and both of which taxpayers funded," he said.
Hanson has suggested the following changes to the ID schemes:
- Accompany the introduction of digital identity with an overhaul of online citizens’ and consumers’ rights.
- Communicate with the public about the schemes and the accompanying rights overhaul.
- Place both Digital iD and GovPass under legislative oversight and protect both schemes from overreach. Expressly prohibit ‘social credit’ schemes that are facilitated by government-enabled digital identity checking.
- Explore options to join the schemes.
- Apply stricter and clear limits on the use of biometrics at the federal, state and territory levels.
- Establish a national taskforce.
DTA had tied up with ASD-certified cloud provider Vault (formerly Vault Systems) to provide cloud services for the GovPass trial but then abruptly terminated the arrangement.
The agency then tied up with Microsoft's Azure cloud for its own corporate use, but has so far made no announcement as to who would provide the cloud services for the GovPass trial which is being run jointly by the Australian Taxation Office and the Department of Human Services.