DTA decides to build digital identity solution itself

The Digital Transformation Agency has chosen to build the technology underpinning its trusted digital identity solution in house, and could spin off the exchange technology as its own business down the track.

The DTA unveiled its plans to create a whole-of-government approach to verifying identity across all online transaction services in 2015, when it was awarded the bulk of its funding - $33 million - for the effort.

After receiving a further $5.3 million in the 2016 federal budget, the DTA went straight to market to get advice on the alpha design phase of the identity verification solution.

But the project hit the skids last September when the agency informed the 70-odd organisations that responded to its request for information that it wouldn't proceed to buy a solution.

It has now revealed it has instead decided to build the exchange technology - the gateway that connects the government service with the user's verifier - itself.

And a privacy impact assessment, conducted by Galexia [pdf], also reveals the DTA could spin off the identity exchange infrastructure as a standalone entity in the future.

The identity exchange is a core component of the 'Govpass' trusted digital identity platform.

It sits between the government service and the identity provider, and blinds the two from each other: the identity provider doesn't know what government service the user is trying to access, and the government service doesn't see the user's identity documents.

It is being written in Golang and is utilising the OpenID Connect identity layer and SAML data format to exchange the verification data. The DTA said more technologies may be used as the product develops.

When signing up to the platform for the first time, users will be asked to provide their name, email address, and phone number, and verify their details via email or SMS.

They will then be asked to provide information from three identity documents, which goes through the exchange to the identity provider for verification. The exchange receives encrypted details back which it passes on to the government service the user wants to reach, which then grants the user access.

"This ‘double blind’ works by ensuring that the relying party receives an identity assurance that has been verified, without revealing the source of the assertion," the DTA's privacy impact assessment states.

"Similarly, an identity provider cannot see the eventual relying party who relies on the identity assertion – they only know that a successful interaction at the appropriate level of assurance occurred via the identity exchange."

This approach is intended to ensure privacy for users of the service; the exchange doesn't become a central repository of identity data, and identity providers can't access logs of the services being used by their customers.

It will, however, retain some metadata, like the time stamp and basic connection details of each transaction. This information will be accessible by the consumer, by participants in the framework for investigations of identity fraud of suspicious transactions, and by law enforcement or those with a warrant.

The DTA is currently looking into how long the metadata would need to be retained for investigations, so as to address consumer concerns about data collection scope creep, surveillance, and security.

The exchange is one of the three pillars of the Govpass program, alongside the framework - which details the policies, standards and requirements for a "nationally-consistent approach" to verification - and the process of setting up and accrediting verifiers.

The framework currently consists of ten documents, covering trust and governance models; standards for identity risk management, digital identity verification, and digital identity credentials; the federated identity architecture; and the core services requirements.

Australia Card mark II?

But concerns have been raised by consumers over plans to only operate a single identity provider for all of the Commonwealth government.

Identity providers in Govpass are those that confirm an individual is who they say they are. Organisations likely to be classified as identity providers are government agencies and banks.

The DTA said its research had found consumers make little to no distinction between federal government agencies, and internaitonal experience showed user experience was significantly improved when consumers only had to deal with one provider.

However, the decision has been met with a privacy backlash by stakeholders who say the move took them by surprise.

They pointed out that previous centralised models - like the Australia Card and Access Card - had failed spectacularly.

"Although stakeholders recognised some differences between those proposals and the [trusted digital identity framework] in relation to the overall framework and the identity exchange, they viewed the decision to establish a single Commonwealth [identity provider] as a ‘throwback’ to those earlier proposals," the privacy impact assessment (PIA) states.

"Even after detailed discussions and explanation on the details of the [trusted digital identity framework] most stakeholders still viewed the single Commonwealth [identity provider] as an updated version of the Australia Card/Access Card."

The PIA reveals stakeholders strongly felt there was no justification for the establishment of a single identity provider for the Commonwealth, and said such an important decision should have been subject to far greater community consultation.

But the DTA argued that even combined, a single Commonwealth identity provider would not be the largest in the program - a bank, as an example, would far exceed the Commonwealth in terms of users.

The PIA revealed the DTA came to its decision through meetings with the likes of Human Services and the ATO - current providers of identity services - over time.

The assessment recommended the DTA take a step back and make sure it has the support of stakeholders and the community before going ahead with the proposal.

Delivery timeline 

The agency revealed in a blog post on Friday that the Govpass project had now reached private beta stage, meaning it is testing working software with real users, but using test data.

It said it is planning to have a product available for testing by selected individuals by mid this year, and a public beta available for open testing on a "limited number" of services early next year.

The DTA said it has spent the last year discussing the platform in more than 500 meetings with interested parties.

"The DTA wants to make sure it gets this project right," it said.

"While building new technology can be done relatively quickly, there is considerable work involved to successfully deliver a sound and reliable new process and technologies for public use."

The agency says it is working to understand the complexities of the project to make sure all issues are addressed before the platform goes public.

Before that can happen, existing systems used across government need to be improved and tweaked to work with Govpass; stakeholders need to be comfortable with the whole proposal; the regulatory frameworks around the solution need to be bedded down; and the technology needs to stand up to use.

The DTA is currently in discussions with several potential identity providers, including state and territory governments as well as the private sector, to join up. It expects Govpass to begin operation with 'several' identity providers on board.

Initially only "simple" online government services will be available on the platform. This will expand to more complex transactions once Govpass is fully rolled out.