Feds try to elevate 'social log-on' for payments, e-services

Moves to allow private sector access to the Attorney General’s Document Verification Service should not be viewed as a cunning government plan to invade our privacy, but rather an effort to help secure digital identities.  

Stephen Wilson, principle of identity technology specialists Lockstep Consulting.

The DVS is a clearing house for those government issued documents routinely used for establishing identity.

To check if a driver's license or birth certificate is valid and current, you transmit a query to the DVS with the document number and details of its purported owner, and you receive a Yes / No response. 

The DVS is fed from sources of truth like the Australian Passport Service, bureaus of Births, Deaths and Marriages, and driver licence authorities. 

Until now, the DVS has only been available to state and federal government departments. 

Services like the DVS are envisioned as critical infrastructure. In theory the DVS ought to rectify a good deal of identity fraud, by providing more accurate and faster confirmation of foundation documents that underpin so much routine identification. 

What does DVS mean for privacy? If it simply reduces identity crime across the board, then it will bring wholesale privacy improvements, for identity takeover is one of the worst violations of liberty.  

On the other hand, if the DVS inadvertently exposes our online tracks, or if it normalises intrusive identification and over-collection of personal details, then it will degrade privacy. 

In truth, we should still regard the DVS as a prototype. Privacy issues remain to be worked through and resolved. The Attorney-General's Department has much work to do before opening up the DVS to business, so there is every opportunity now to do the “privacy engineering”. 

Identity has become a bane of our digital existence. We waste more and more time repeatedly registering and authenticating at umpteen websites, yet we face mounting costs due to ad hoc security, from unwanted marketing to identity theft. Federated Identity aims to solve all this by re-using established identities – or identity information – across multiple domains. 

Almost everyone has had a taste of this already, with social log-on. We love that so many sites let us in with a Twitter handle or Facebook identity, enabled by terrific web technologies like SAML and OpenAuth.

But let’s be honest.

Today’s social identities are issued by providers that don’t really know who we are, and are used by services that don’t really care.

Can social log-on be elevated to meet the exacting needs of payments, e-health and e-government? 

Federated Identity proves to be easier said than done. Too often big public-private partnerships have failed to thrive, principally because – according to my analysis – they tend to change almost unconsciously the way businesses and government relate to their customers and citizens. 

And here privacy advocates have every reason to be concerned. Instead of gathering ever more personal information, the urgent need is to protect the integrity of the various details we already use to prove our bona fides in different contexts.  

This is where the DVS could really help. We actually do a pretty good job of identifying one another in the real world, leveraging a mix of recognised identity documents. 

What we need now is the power to more faithfully reproduce those identity memes online.