Australia’s digital identity dilemma 

Australia is lagging behind in terms of centralised citizen digital identity. How much longer can the “100 points of ID” process last?

As government services move online in Australia, proving citizen identity is becoming a more common problem. We need to provide the same evidence over and over as individual departments at various levels of government implement standalone solutions.

This is also a problem outside of government, with the likes of banks and real estate agents taking us through the 100 points of ID process. A process, I might add, that is so open to interpretation that you now need to provide more proof of identification to rent a dwelling than you do to be allowed entry back into the country after an overseas jaunt.

Meanwhile, our neighbours in New Zealand use their RealMe identification to prove who they are when online, to log into multiple government sites and services, as well as some private sector services like banking. They can even use their RealMe identity to renew their passports online.

So the discussion turns to an official Australian e-identity (e-ID) and even an official physical identity card (incorporating our e-ID) to finally replace our “unofficial” identity card – the ubiquitous drivers licence.

Australia is part of the shrinking group of countries without an official identity card of some type – many are compulsory for all adults and some are required to be carried at all times – but I don’t believe we need to go that far. Most of those countries with an official ID card already have or are implementing some form of interlinked e-ID.

If we are considering e-ID models, what direction should we take? Should we look to a federal level ID that could be linked to our passport system, simplifying that currently onerous process? Or should we opt for a federated model, with the individual states responsible for administering a federally regulated scheme, to ensure interoperability and transferability of credentials?

Having an e-ID, or indeed a universally recognised identity card, would remove the need for the current 100 points of ID, and the data security issues inherent in that scheme. Where do all those photocopies and scans of your passport, drivers licence and birth certificate end up?

Obviously, trust in our various levels of government is crucial for any identity scheme to operate effectively. But the question for detractors to a nationally recognised identity scheme is whether there is really that much difference between big business tracking everything we do (and they currently do), to our government (and they are getting better at doing it now anyway)?

I am reminded of an old Dilbert* comic lampooning the fear of internet shopping of the time, where Dilbert hands his credit card to a waitress who returns a while later wearing a fur coat. Do we really need to wait for a foolproof solution to a currently flawed system, or do we take the plunge and just move to something incrementally better?

We would need to get the model right first, but as we are laggards in this space, there are so many studies and models already tried and tested for us to review and pick the best parts of each. A properly formulated and regulated identity scheme, with appropriate access controls (for example,  queries to get appropriate response which is not necessarily access to private data), would remove many of the current privacy issues with proving our identity or entitlement for services.

Let’s take a simple trip to the pub as an example. Currently you may need to provide a driver’s licence as proof of age when all the pub needs to know to meet their statutory obligation is that you are over the legal age. But the proof that you have actually provided them is your date of birth which, when combined with other data on the card, may be able to be used to perpetrate identity theft (and your licence may have been scanned and stored by the venue). But if we look to Estonia or Italy as examples, the identity card is scanned to verify that the patron is entitled to be served, a simple binary response is returned – yes or no. No potential privacy breach.

When considering such a scheme, we also need to be cognisant of what services require absolute confirmation of identity. That is, is there any need for our identity to be restricted to a singular consistent digital identity, or should we continue to enjoy the benefit of having multiple online identities, keeping various aspects of our daily lives separated?

Implementing a scalable ID scheme is complex, but no more so than the potential benefits it could provide. It’s the next frontier for government services to hurdle – let’s hope it’s one we see tackled soon.

*Dilbert by Scott Adams

Louis Hof

Senior Consultant