DTA attacks China-style social credit claims about Govpass digital identity

The Digital Transformation Agency is at public loggerheads with one of Australia’s most influential national security policy think tanks, the Australian Strategic Policy Institute, over claims its digital identity rollout needs strict legislation to stop a Chinese-style social credit system.

Yep, you read that right.

The DTA on Thursday hit back hard at an analysis brief penned by the head of ASPI’s international cyber policy centre, Fergus Hanson, which also bleakly warned the government risks a repeat of the Australia Card and Access Card flops because of poor public education and understanding of the schemes.

In an uncharacteristically personal broadside, the DTA accused Hanson of misrepresenting the digital identity program in his report, labelling it an “opinion piece” and claiming it was “was inaccurate and contained many factual errors.”

“The association of China’s social credit system and the Australia Card with Australia’s new digital identity program has no basis,” the DTA said.

“Nor do claims that private sector companies will be able to harvest user data. These demonstrate a clear misunderstanding of how the digital identity system is intended to work.”

“The Digital Transformation Agency (DTA) generously engaged with the author multiple times, providing feedback on factual errors which were not addressed in the final report,” the DTA’s riposte continued.

“This is disappointing given the profile of the Australian Strategic Policy Institute.”

ASPI’s profile, and in particular its influence surrounding international cyber relations between governments and key industry players, is a major headache for the DTA because Hanson’s highly critical report has the potential to spook already skittish ministers.

In the report, titled “Preventing another Australia Card fail”, Hanson asserts that the government’s digital identity push “is set to cause controversy and risk further disempowering Australians in the absence of clearer policy and legislative controls.”

Hanson’s core argument is that that efforts surrounding Govpass now face major obstacles because they have been insufficiently communicated for the degree of personal and biometric details involved in the process, and a paucity of black letter law safeguards surrounding them.

The ASPI report also takes a swing at both federal government agencies (Govpass) and Australia Post (Digital iD) for developing broadly similar digital identity credentials, saying neither scheme “is governed by dedicated legislation, beyond existing laws such as the inadequate Privacy Act 1988, leaving Australians vulnerable to having their data misused.”

“The lack of clarity about how the private sector will and will not be able to use the schemes will turbocharge the ability to gather detailed profiles of individual Australians. Controls are needed to prevent a Western version of China’s ‘social credit’ scheme emerging,” Hanson says in the paper.

The public connection of the DTA’s digital identity efforts to date to the notion of a social credit system – even if only theoretical – is an instant political nightmare for both the DTA and the fragile Morrison government because it sets-up the scheme for public caning on par with the My Health Record media debacle.

There is also a growing feeling within parts of the Canberra political and public service machine that the DTA has effectively been left to drift and is considered an orphaned pet project of former Prime Minister Malcolm Turnbull that simply fails to resonate with voters.

For its part, the DTA is steadfastly rejecting any suggestion that its Govpass scheme competes with Australia Post’s Digital iD service, arguing that the plan to have a federated digital identity model “allows for multiple identity providers but only one system.”

“This means people using the system will be able to choose to set up their digital identity with their provider of choice,” the DTA said in its comeback.

“The system is also opt-in, so people will have a choice whether or not to use it,” it continued.

For the DTA, one of the most galling positions taken by ASPI must be the overt recommendation to junk Govpass and just hand Australia Post the digital identity reins.

“Opportunities should be explored to avoid duplication between the two schemes. This could include reviewing whether Australia Post’s already operational scheme could be adopted as a national scheme (and Govpass scrapped, although keeping the existing [facial verification service]), or strengthened sufficiently so that it is suitable by drawing on the [trusted digital identity framework],” Hanson recommends.

“At a minimum, Australia Post should replace the ATO as the government identity provider under the Govpass scheme. This would be consistent with one of the DTA’s own core procurement principles of avoiding duplication by not building platforms that other agencies have already built.”

The timing of the release of ASPI’s latest report could not be more obtuse.

The use of digital identity for securing financial transactions is set to be a hot topic at next week’s massive Sibos convention when thousands of top executives from the world’s banking and technology industries descend upon Sydney.

The use of digital identities, augmented thorough biometrics, is regarded by many financial institutions as a game changer for combatting fraud and reducing the cost of know-your-customer (KYC) requirements which regulators have saddled the financial services sector with.

Banks in Australia have for years pressured and lobbied the federal government to create a less cumbersome KYC regime through the use of secure electronic identifiers, with the Reserve Bank of Australia also pushing for the adoption of digital identities to arrest ballooning credit card fraud.

However the entry of private financial sector interests into the digital identity space also has ASPI ringing alarm bells, with the think tank singling out Mastercard’s ambitions here for special attention.

“Mastercard (and no doubt competitors), for example, is considering using Australia as the first country to test and deploy its My Digital Life program,” Hanson’s ASPI brief says.

“This will be a platform through which third-party ‘attribute vendors’ can confirm different attributes of individual consumers, many of which will be enabled via digital identity.”

Hanson posits that this could entail building up profiles of individuals where “third-party ‘attribute vendors’ can confirm different attributes of individual consumers, many of which will be enabled via digital identity” to gain preferential customer service.

“This might include confirming that you have a perfect credit score, that you always pay your bills on time, that you never gamble, that you purchase fewer than 20 standard drinks of alcohol each week, that you give at least $1,000 a year to charity and that you volunteer,” Hanson observes.

But when it comes to government-minted digital identity credentials, ASPI insists hard legislative contols are need for both Govpass and Digital iD.

“Legislation should place strict limits on information about individual citizens that can be gathered through the use of digital identity verification and on-sold,” says the think tank’s third recommendation.  

“The development of social-credit-style schemes should be expressly prohibited.”

Just remember that next time you slap your driver’s licence down on the scanner in the foyer of your local registered club to prove where you live so you can get a cheap beer.