Australia

This post is going to be broken up into 3 parts. Why you shouldn’t listen to me. A brief history and current status of identity in Australia. Why the current state is a problem and some possible ways out of this mess.

Part 1. Don’t listen to me.

This topic is so far outside my typical domain that I’m going to be missing a bunch of issues, concerns and subtle quirks. This in an opinion piece and shouldn’t be taken as fact. I wasn’t even born in 1985 (this is important later) so I can only go by information passed down to me.

Where I do have experience is that I have had the joy of updating all my identity documents. I have been victim of identity theft. And I have had the joy of myID (formerly myGovID) not working. I also work in tech and often have consulted on design decisions regarding verification and identity platforms.

Part 2. WTF happened and why is this like this.

For non Australians (Australians can probably skip this paragraph) reading this blog we have a system of authenticating to government services called “myID” (I’m going to ignore just how horrible this name is). myID is an app that can be installed on a phone and is tied to an email address. A government website (and soon non gov) can use myID to authenticate a user. It has various levels of identity strength a user can have, Basic, Standard, and Strong. Basic is practically useless - it means you installed the app and filled in some forms. Standard you have validated some documents like a drivers licence, passport, medicare card. Strong is where your photo is validated. The thing about myID is that many government services don’t require it. You can often sign up an account without a myID.

Now when you setup a new phone with myID you have to validate all those documents again. Why? Surely I could just sign into the account again. Or maybe another question is - why is myID even different account then myGov.

My assumption here is that is we need to take a trip all the way back to 1985, before the concept of a digital ID was even considered. The “Australia Card” idea was floated. The idea of the Australia card was to replace several government identity solutions and create a single solution that worked across both federal and state services. A big part of the Australia Card system was to crack down on fraud, tax evasion, terrorism and illegal immigrants. Effectively this was meant to be a magical cure for society. Every transaction would need an Australia Card number.

Now I should be clear here, I do NOT support the Australia Card proposal. The amount of tracking and overreach with that solution is immense, and I’m glad the proposal was eventually dropped. However it wasn’t without consequence.

The tax file system was extended, and every government service went along it’s merry way using their own identity systems, often having soft links to others.

At common law an adult may assume any surname by using such name and becoming known by it. A surname is not a matter of law but a matter of repute … The law of this country allows any person to assume and use any name, provided its use is not calculated to deceive and to inflict pecuniary loss.

New South Wales Law Reform Commission, Names: Registration and Certification of Births and Deaths, Report No 61 (1988)

This leads to an interesting outcome in Australia. We don’t really have a concept of a “legal name”. It’s a bit more like “whatever the service your trying to use is willing to accept”, and since federal and state government services don’t have a central identity system, you instead have an identity at a service level. Your name might be different (either intentionally, book keeping error, or system design issue) on all of these:

• State transport department (eg, vicroads)
• State services (Service Vic, Service NSW)
• Medicare
• MyGov
• Tax office
• ACMA
• CASA
• Local council
• Births / Deaths / Marriages
• Passport Office
• Many many many more

And this is before we even get to private companies trying to validate ID.

Part 3. Why is this a problem

A large part of the Australia Card (valid) opposition is that data tracking is an invasion of privacy. Additionally the threat of cutting off services to those refusing to use it or don’t have access to it hostile. It risks cutting off communities from services they need to live.

At the end of the day though, even without the Australia Card, the government still kind of “won” and fucked everything up. Sure, not every transaction was tracked, but we have tax file numbers and business transactions are heavily tracked. Banks are required to report suspicious transactions, as low as $10,000. Every service we interact with today asks for a birth certificate number, or drivers licence. Our laws require companies to store KYC (know your customer) data for long periods of time. The government will happily destroy the lives of hundreds of thousands of lives through shitty data matching - regardless of any sort of Australia Card.

When my identity was stolen in 2018 and used for phone toll fraud I was informed to update my drivers licence number (side note here, if you don’t have a drivers licence - identity becomes hard mode in Australia. Fuck cars.). This is good advice - however - the transport departments create drivers licences to identify who has a drivers licence. Yes a bit of a tautology, but the key point here is that the transport department is not designing drivers licences to be a generic identity document. Their use case is for police to check if you are allowed to drive. This has likely changed since my identity theft incident due to more recent data breaches, but at the time QLD did not allow changing the drivers licence number (CRN) unless a police report recommended it - and police in Australia do not investigate or write reports about fraud that has happened from overseas (amazing I know). I was unable to change my CRN. From the point of view of Transport and main roads QLD, my drivers licence could still be used for the purpose it was designed for. They would happily reissue me a new drivers licence with the same number…

So this is why myID asks for a bunch of documents to validate your identity. It’s trying to be the Australia Card scheme, without being the Australia Card scheme. A trojan horse of central identity. But it falls short because of our mess.

• Often fails to link identities because the data is slightly wrong or different between services
• Name changes can only be verified in NT, SA, TAS and ACT. lol.
• Even name changes in those states don’t work work if you don’t have a name change certificate (often the case for people who have updated their birth certificate during gender transition)
• You used different names between services
• We’ve created a link between all the accounts, thus defeating the point of opposing Australia Card
• Fraudulent users can just choose not to use myID in many cases and falling back to uploading legit looking documents
• myID’s approach is a security nightmare in it’s core design
• myID branding and usage in gov services is confusing at best. There’s no way for a user to learn what is safe and normal
• DID YOU KNOW THAT MYID ISN’T EVEN THE ONLY POSSIBLE PROVIDER??!?. That’s right, we might see more. Because free market and such, Australians need to know that they aren’t just looking for “myID” but also “Australia’s Digital ID System” tick. Make sure that your signing an “Australia’s Digital ID System” by checking this completely unhackable image. I swear to god.

So today what happens when a user is trying to access government services is a mishmash of identity verification methods, sometimes myID, sometimes optional, sometimes custom built. Users are trained to just send pictures and numbers of their identity documents to sites and services without much thought. Every state has implemented it’s own poorly implemented digital drivers licence.

Data matching is ripe. And fuck ups are common.

Then we have the private sector.

Hotels will photocopy, scan, and in some cases save into a public file share your drivers licence when you check in. The same identity document that can be used to access all other gov and private services. When identities get compromised we can’t even trace back to where they were stolen from.

With the government imposed social media ban for under 16s more and more Australians are having to validate their age online - often using the same identity documents that allow all access to their life. Each week we receive a “privacy and security of our users is a top priority.” email and wonder what our identities will be used for this time.

The state today is:

• The government still doesn’t care about our privacy and tracks us anyway
• All our identities are linked if we like it or not
• For many people, proving our identities is hard or painful
• The digital ID solutions today don’t provide a secure way of verifying our identity or anonymously (both parties) proving our age to third parties
• Companies are expected to keep copies of our identity documents

The political nightmare that was the Australia Card has naturally tainted any possible fix to this problem, but I think we can fix this.

1. (the big ask) Government repairs it’s social contract, stops treating it’s citizens like criminals and actually provide services to citizens. Provide consent models and allow people to opt out of things. A digital ID should be optional. Using one should be privacy preserving and require consent.
2. myID needs to be the one and only way of proving identity online, both for gov and private sector
3. myID should provide a consent model of what each service can see. In most cases myID should only allow verify, and not exchange (at the moment myID can provide data to every gov service)
4. myID should not provide any mechanism that could allow data matching of identities between services and should minimise the ability to identify users when performing verification tasks like age checks.
5. Private sector should be legally required to provide myID verification option. (there’s some caveats and concerns around this. The intention here is to provide a known secure way for people to verify identity while ensuring the private sector doesn’t store documents)
6. Drop drivers licences as a form of identity and allow myID to be a real identity, not just a meta identity.

I think it’s possible to build digital ID systems that help users be more secure and more private online, but it also relies of the government not fucking it up - which I know if a big ask.

Part 100 point check

The 100 point check “system” is the dumbest concept. Lets compare some 100 point checks across services

Renting - seemingly different per agent
Passport: 30
Drivers licence: 40
Birth Cert: 10 ????
Bank statement: 20

NSW Health, AFP
Passport: 70
Drivers licence: 40
Birth Cert: 70
Bank statement: 35

AusTrac / Banks
Passport: 70
Drivers licence: 70
Birth Cert: 70
Bank statement: 25

Equifax
Passport: 70
Drivers licence: 40
Birth Cert: 70
Bank statement: 25

Why is this like tennis scoring. You could normalise all these values down. No point system has an identity document that is worth “1” point. Further to this, nearly all the 100 point systems require $x category A documents and $y category B documents. The numbers don’t even matter at that point!

I’ve decided to publish my journal on the CSR trip - a roughly 1,800km journey through outback Western Australia. There are no services (phone, fuel, towns) with the exception of Kunawarritiji roadhouse which provides a basic store, water and fuel. The route is almost entirely sandy dune crossings with some rocky sections. It’s deemed one of the toughest off-road trips one could adventure on.

Before we begin though I think it’s important to recongise that like most modern Australian history, it’s plagued with racist, violent and inhumane treatment of Australia’s land owners. Cannings treatment of the indigenous people is inexcusable and this trip is not about remembering Cannings legacy. Throughout my journals I’ll be referring to the CSR in acronyms only. Rusty (a traveler in our convoy) suggested it be renamed “Corrugated Stock Route”.

It’s also important to note that the places we visited to the best of our knowledge are accessible under our permits for the time, however certain sites open and close over time.

So if it’s not about remembering Canning, what is this trip about?

Completing the CSR for me serves several purposes. The most important being worry free. Once you enter the CSR you are completely offline. To an extent world events can’t even stop you. Even if they close the CSR while your on it, you likely wouldn’t know until you finished it. It’s also not a short trip - with 1,800 km to travel (though we did about 2,030km with the side trips we added) and only being able to do a ~100-200km a day it provides plenty of time to stop worrying about everything else in the world.

The next important thing is exploring Western Australia. I’ve spent probably the least amount of time in this state and the CSR seems like the best way to see some of the best that Western Australia has to offer.

Finally there’s a technical pursuit. Can our car, equipment, radios and even ourselves hold up to the challenging environment.

How do you even?

This post most certainly isn’t going act as a how-to, but I think it’s worth mention some of the technical requirements of this trip to give an idea of the scale and planning required.

Most of doing the CSR is about logistics. Driving the CSR is the easy part, the prep work for the CSR is the hard part. If your not prepared it’s easy to loose your car or even your life out there.

Fuel

The most important is probably fuel. Leading up to the trip we did many smaller trips with similar terrain as the CSR. This gave us a rough idea of fuel usage in sandy dune covered tracks. Naturally we added some buffer to this and came up with 138L on board tank + 7 jerry cans (140L). Think about where you’d store 7 jerry cans on your car. Now work out how much weight your car can carry (GVM).

Water

Water is also important! There are two problems with water - how much to store and how to use well water. The CSR has many restored wells that you can use along the trip. Most of these are fine to drink after boiling or you can use something like an MSR Guardian to filter the water. We decided to carry roughly 80L of water and rely of filtering some well water along the way.

Food

For the first few days you can eat your normal camping meals with perishables (bread, salad, eggs, veggies) but eventually you’ll run out or they’ll go bad. We have a Engel fridge/freezer, so we ended up freezing a lot of meat and cheese. A lot of produce can be found in cans - like peas/corns/carrots and potatos. The biggest problem though with food is storing it all. You need to keep a buffer of food if you get stuck. We ended up with about 4 weeks of food, and storing it all was challenging. One of our storage tubs ended up being filled mostly with corn chips. You also need to be able to cook it! That means bringing all your required cooking equipment, stove, gas bottle.

Rusty’s setup was very different from ours - 30 frozen meals, a freezer, and a microwave running off an inverter and battery system. Pretty jealous of this setup.

Communications

Number one requirement of this trip is packing a PLB. There is no cell service out here, if someone is in a life threatening emergency this is the best chance of survival.

For non emergencies though, sometimes it’s good to keep in touch with people to let them know your ok. We have APRS on HF radio to let people track where we are, and a scheduled HF contact. The scheduled HF contact serves to talk about the trip and less so about world events happening - so even though you have a way of talking to the rest of the world, it doesn’t shatter that disconnected feeling.

We also used WinLink for short messages to friends and family and send compressed pictures to Twitter for fun.

Rusty also has a Garmin InReach which allows for GPS tracking, short messages and weather updates (though I don’t trust the weather updates out here as BoM just has this listed as one big “Northern Interior” region which covers most of the state)

Waste disposal

Think about all the waste you create when you prepare a meal. Tins, glass bottles, wrappers. So many little things. There are no bins on the CSR. Nowhere to dump rubbish. Everything you take in you must take out. Some stuff you can burn - like paper boxes - but you end up having to carry a lot of rubbish. We have a canvas rubbish bag that fits over our spare tyre - even with this we are careful not to generate too much waste.

Camping meals

If we take what we learnt about above meals, water, and waste. Think about cooking some Rigatoni pasta. We have to store a large packet of pasta, taking up valuable space, to cook it we need a large amount of water, we need enough gas to boil the water and our pasta sauce likely comes in a glass jar.

While pasta makes for a great easy camping meal, it makes for a terrible CSR meal.

Getting there and back

Just travelling to the CSR from Melbourne is a journey in itself. We spent 3 days just to get to Wiluna, the start of the CSR, and we’ll have travelled even more getting back.

Should I read your journals?

Short answer. I don’t know. They are fairly brief descriptions of what I found interesting, how I felt and what we did that day. It doesn’t cover everything, and shouldn’t be treated as some sort of travel guide.

I’ll include a couple of photos that I took along the way with each post, so even if you don’t find the text that interesting, you might enjoy the photos.