Identity in Australia is a mess and it's putting people at risk

This post is going to be broken up into 3 parts. Why you shouldn’t listen to me. A brief history and current status of identity in Australia. Why the current state is a problem and some possible ways out of this mess.

Part 1. Don’t listen to me.

This topic is so far outside my typical domain that I’m going to be missing a bunch of issues, concerns and subtle quirks. This in an opinion piece and shouldn’t be taken as fact. I wasn’t even born in 1985 (this is important later) so I can only go by information passed down to me.

Where I do have experience is that I have had the joy of updating all my identity documents. I have been victim of identity theft. And I have had the joy of myID (formerly myGovID) not working. I also work in tech and often have consulted on design decisions regarding verification and identity platforms.

Part 2. WTF happened and why is this like this.

For non Australians (Australians can probably skip this paragraph) reading this blog we have a system of authenticating to government services called “myID” (I’m going to ignore just how horrible this name is). myID is an app that can be installed on a phone and is tied to an email address. A government website (and soon non gov) can use myID to authenticate a user. It has various levels of identity strength a user can have, Basic, Standard, and Strong. Basic is practically useless - it means you installed the app and filled in some forms. Standard you have validated some documents like a drivers licence, passport, medicare card. Strong is where your photo is validated. The thing about myID is that many government services don’t require it. You can often sign up an account without a myID.

Now when you setup a new phone with myID you have to validate all those documents again. Why? Surely I could just sign into the account again. Or maybe another question is - why is myID even different account then myGov.

My assumption here is that is we need to take a trip all the way back to 1985, before the concept of a digital ID was even considered. The “Australia Card” idea was floated. The idea of the Australia card was to replace several government identity solutions and create a single solution that worked across both federal and state services. A big part of the Australia Card system was to crack down on fraud, tax evasion, terrorism and illegal immigrants. Effectively this was meant to be a magical cure for society. Every transaction would need an Australia Card number.

Now I should be clear here, I do NOT support the Australia Card proposal. The amount of tracking and overreach with that solution is immense, and I’m glad the proposal was eventually dropped. However it wasn’t without consequence.

The tax file system was extended, and every government service went along it’s merry way using their own identity systems, often having soft links to others.

At common law an adult may assume any surname by using such name and becoming known by it. A surname is not a matter of law but a matter of repute … The law of this country allows any person to assume and use any name, provided its use is not calculated to deceive and to inflict pecuniary loss.

New South Wales Law Reform Commission, Names: Registration and Certification of Births and Deaths, Report No 61 (1988)

This leads to an interesting outcome in Australia. We don’t really have a concept of a “legal name”. It’s a bit more like “whatever the service your trying to use is willing to accept”, and since federal and state government services don’t have a central identity system, you instead have an identity at a service level. Your name might be different (either intentionally, book keeping error, or system design issue) on all of these:

• State transport department (eg, vicroads)
• State services (Service Vic, Service NSW)
• Medicare
• MyGov
• Tax office
• ACMA
• CASA
• Local council
• Births / Deaths / Marriages
• Passport Office
• Many many many more

And this is before we even get to private companies trying to validate ID.

Part 3. Why is this a problem

A large part of the Australia Card (valid) opposition is that data tracking is an invasion of privacy. Additionally the threat of cutting off services to those refusing to use it or don’t have access to it hostile. It risks cutting off communities from services they need to live.

At the end of the day though, even without the Australia Card, the government still kind of “won” and fucked everything up. Sure, not every transaction was tracked, but we have tax file numbers and business transactions are heavily tracked. Banks are required to report suspicious transactions, as low as $10,000. Every service we interact with today asks for a birth certificate number, or drivers licence. Our laws require companies to store KYC (know your customer) data for long periods of time. The government will happily destroy the lives of hundreds of thousands of lives through shitty data matching - regardless of any sort of Australia Card.

When my identity was stolen in 2018 and used for phone toll fraud I was informed to update my drivers licence number (side note here, if you don’t have a drivers licence - identity becomes hard mode in Australia. Fuck cars.). This is good advice - however - the transport departments create drivers licences to identify who has a drivers licence. Yes a bit of a tautology, but the key point here is that the transport department is not designing drivers licences to be a generic identity document. Their use case is for police to check if you are allowed to drive. This has likely changed since my identity theft incident due to more recent data breaches, but at the time QLD did not allow changing the drivers licence number (CRN) unless a police report recommended it - and police in Australia do not investigate or write reports about fraud that has happened from overseas (amazing I know). I was unable to change my CRN. From the point of view of Transport and main roads QLD, my drivers licence could still be used for the purpose it was designed for. They would happily reissue me a new drivers licence with the same number…

So this is why myID asks for a bunch of documents to validate your identity. It’s trying to be the Australia Card scheme, without being the Australia Card scheme. A trojan horse of central identity. But it falls short because of our mess.

• Often fails to link identities because the data is slightly wrong or different between services
• Name changes can only be verified in NT, SA, TAS and ACT. lol.
• Even name changes in those states don’t work work if you don’t have a name change certificate (often the case for people who have updated their birth certificate during gender transition)
• You used different names between services
• We’ve created a link between all the accounts, thus defeating the point of opposing Australia Card
• Fraudulent users can just choose not to use myID in many cases and falling back to uploading legit looking documents
• myID’s approach is a security nightmare in it’s core design
• myID branding and usage in gov services is confusing at best. There’s no way for a user to learn what is safe and normal
• DID YOU KNOW THAT MYID ISN’T EVEN THE ONLY POSSIBLE PROVIDER??!?. That’s right, we might see more. Because free market and such, Australians need to know that they aren’t just looking for “myID” but also “Australia’s Digital ID System” tick. Make sure that your signing an “Australia’s Digital ID System” by checking this completely unhackable image. I swear to god.

So today what happens when a user is trying to access government services is a mishmash of identity verification methods, sometimes myID, sometimes optional, sometimes custom built. Users are trained to just send pictures and numbers of their identity documents to sites and services without much thought. Every state has implemented it’s own poorly implemented digital drivers licence.

Data matching is ripe. And fuck ups are common.

Then we have the private sector.

Hotels will photocopy, scan, and in some cases save into a public file share your drivers licence when you check in. The same identity document that can be used to access all other gov and private services. When identities get compromised we can’t even trace back to where they were stolen from.

With the government imposed social media ban for under 16s more and more Australians are having to validate their age online - often using the same identity documents that allow all access to their life. Each week we receive a “privacy and security of our users is a top priority.” email and wonder what our identities will be used for this time.

The state today is:

• The government still doesn’t care about our privacy and tracks us anyway
• All our identities are linked if we like it or not
• For many people, proving our identities is hard or painful
• The digital ID solutions today don’t provide a secure way of verifying our identity or anonymously (both parties) proving our age to third parties
• Companies are expected to keep copies of our identity documents

The political nightmare that was the Australia Card has naturally tainted any possible fix to this problem, but I think we can fix this.

1. (the big ask) Government repairs it’s social contract, stops treating it’s citizens like criminals and actually provide services to citizens. Provide consent models and allow people to opt out of things. A digital ID should be optional. Using one should be privacy preserving and require consent.
2. myID needs to be the one and only way of proving identity online, both for gov and private sector
3. myID should provide a consent model of what each service can see. In most cases myID should only allow verify, and not exchange (at the moment myID can provide data to every gov service)
4. myID should not provide any mechanism that could allow data matching of identities between services and should minimise the ability to identify users when performing verification tasks like age checks.
5. Private sector should be legally required to provide myID verification option. (there’s some caveats and concerns around this. The intention here is to provide a known secure way for people to verify identity while ensuring the private sector doesn’t store documents)
6. Drop drivers licences as a form of identity and allow myID to be a real identity, not just a meta identity.

I think it’s possible to build digital ID systems that help users be more secure and more private online, but it also relies of the government not fucking it up - which I know if a big ask.

Part 100 point check

The 100 point check “system” is the dumbest concept. Lets compare some 100 point checks across services

Renting - seemingly different per agent
Passport: 30
Drivers licence: 40
Birth Cert: 10 ????
Bank statement: 20

NSW Health, AFP
Passport: 70
Drivers licence: 40
Birth Cert: 70
Bank statement: 35

AusTrac / Banks
Passport: 70
Drivers licence: 70
Birth Cert: 70
Bank statement: 25

Equifax
Passport: 70
Drivers licence: 40
Birth Cert: 70
Bank statement: 25

Why is this like tennis scoring. You could normalise all these values down. No point system has an identity document that is worth “1” point. Further to this, nearly all the 100 point systems require $x category A documents and $y category B documents. The numbers don’t even matter at that point!