#85 Taking identity digital

Jordan
Welcome to another edition of This Week in Digital Trust, 11M’s regular conversation about all things tech policy, privacy, and cybersecurity. I’m Jordan, joining you from Wurundjeri country in Melbourne.

Brett Watson
And I’m Brett, joining me from the land of the Darug and Guringai people in Sydney.

Jordan
And you’ll notice that that’s the first time I’ve ever done that introduction, because Arj isn’t here. He’s on a bit of leave at the moment, so… Brett’s bravely stepping into his shoes as our resident expert in digital ID and we’re gonna have a chat about digital ID.

Brett
Yes, very happy to be here. Jordan has some huge shoes to fill, but I’ll seem to fill them nevertheless. And yes, a topic that I’m very interested in and it seems like it’s having a little bit of a moment at the moment in the media and so on. So very happy to.

Jordan
Yeah, it is having a moment, isn’t it? It’s something we, Arjun and I, have been talking about and we’ve been talking about Brett for quite a while. We’ve been talking about it in response to the Optus data breach. That was like a year ago now, I think. When that happened, we all asked, well, why on earth are they holding all this data about people, 100 points of ID with like every telco provider and every bank and every… doesn’t really make sense. So why isn’t there a better solution?

We’ve also been talking about it a lot in terms of age verification, right? Online that like, surely there’s a good way of privately and securely proving how old you are to some website again, without sending them in a copy of your ID. So there’s a bit of news very recently that’s kind of triggered this conversation as well, that a few weeks ago, finance minister Katie Gallagher, announced an exposure draft of what’s called the digital ID bill, which is a law that will establish a kind of national digital ID framework.

Then there’s Connect ID, which is private sector digital identity service that was just announced by Commonwealth Bank and National Australia Bank that they’re going to roll out this private sector digital ID system where you can get with other service providers. There’s all this stuff going on, right? There’s a law, there’s a private sector solution coming into play. There’s already some stuff going on in digital ID. It’s quite a complex area. So with all of that, wanted to sit down with you, Brett, and just like, what on earth is going on?

Brett
We’ll see what we can do. I mean, in half an hour or so, if you like being, you’ll find the conversation interesting. You’ll probably leave it feeling a little bit confused because that’s how I generally feel after a digital ID conversation. But I generally find with the digital idea, sort of taking it back to first principles, almost taking it back to school on what’s actually occurring can be like a useful way to conceptualize it. So maybe a question for you, Jordan, can you remember when you got your first ID?

Jordan
Oh, good question. First ID. I think my driver’s license was the first real one, right? That, I mean, we were talking before about like Dolomites in school and stuff. And like, probably I had like accounts and identity documents, a birth certificate, I suppose, pretty early on. But yeah, the first thing that I think of as an idea I had was my driver’s license.

Brett
And I thought same for me. And I’d say that’s a fairly typical user experience, like in having an ID, like in Australia. So you’ll start your life with a birth certificate if you’re born in Australia, or perhaps a citizenship certificate if you’ve moved to Australia from overseas, you become a citizen. And that kind of is like a foundational building block upon which other types of ID can be built upon. So you mentioned the driver’s license, so you start with the birth certificate and then you can use that to go to your local Transport Authority to get your learner driver’s license.

So they’re relying on the birth certificate to create your driver’s learner driver’s license. And then over time, there might be a bank or a telecom that relies on the integrity of the driver license licensing system to then set you up with credit that will then set you up with an account there. And then you could use a combination of those things to get IDs or services and other areas.

Jordan
That’s your like, yeah, your hundred points of ID kind of thing, right? The combinations, the, and I mean, it’s funny. It’s something that we kind of accept and take for granted, right? That you use your driver’s license as the primary form of ID, but it’s kind of weird as well, right? Like it’s this doc, like the purpose of the document is not to prove who I am. The purpose of the document fundamentally is to demonstrate that I’m allowed to drive a car.

Brett
So this is something, I mean, it’s not necessarily unique to Australia, but it’s. We have this sort of relational system by day where there isn’t one single document that we have in Australia that is just designed for the sole purpose of proving identity, like there are some other countries in the world, but there’s an adha biometric system in India that uses fingerprints and that’s designed just for identifying people and there’s some other cases in Europe, but generally in Australia, when we’re producing an ID, we’re producing a document that was created for a particular purpose to show that you have a right to drive or you’re entitled to receive Medicare or you have some other entitlement. And it just so happens that document also contains a lot of information about you and possibly photos that can be used for this secondary purpose of just sort of proving who you are.

Jordan
Yeah, and VicRoads or whoever it was has checked, right? They have gone and, you know, they’re a reputable organization. It’s relatively hard to forge and they’ve gone and checked my birth certificate or whatever else, same reason passports are useful, right, as an identity document. So, okay, so that’s physical, right? That’s standard form of ID. It’s usually, like you’re saying, relying on some kind of authority or someone else has checked and there’s a hard-to-forge artifact that I can use to demonstrate that. How do we turn that into digital?

Brett
So, we go back to sort of the early to mid 2000s, there’s this system that the Commonwealth government has been running called the Document Verification Service. I’ve described this at the time, just one of the biggest things that you’ve never heard of. As the name suggests, the idea of the document verification or the DVS is that if you fill in the biographic fields on an identity document like a driver’s licence onto an online web form, for example, it will then route that query through a hub that’s run by the Commonwealth Government to the official record holder. So say it’s a New South Wales driver license on the hold. It will bring the Transport for New South Wales database and will do a match as to whether the fields you prevented matches what is on the official record. And then we’ll bounce back with a yes or no, this matches or it doesn’t. So it’s kind of a way of checking the official record for verify that the document exists.

Jordan
That’s the classic way of digitizing something by like, let’s just make it applicable to the internet, or like let’s take the same form we used to have and put it on the internet, use the internet, but we’re still using that same driver’s license. Like the DVS system is really just a better way of checking that driver’s license exists.

Brett
We’re both kind of laboring the fact this exists word because we’re both coming to the sting. It is a limitation of the DVS that it’ll only check the existence of a document. So someone who has an identity document will enter in what’s on that ID and have it checked by the DVS. The DVS won’t know if the person who did that is actually the person who’s entitled to use that record. So it won’t know if I’m entering my own driver’s licence details or my brother’s driver’s licence details or my friend’s driver’s licence details. All that it knows is whether those records exist, which is a limitation from a fraud and integrity point of view.

Jordan
Yeah, right. It doesn’t stop me using someone else’s driver’s licence when I register for something. It also doesn’t innovate on that basic system where I have a card that is given to me by VicRoads that is really the primary purpose of that is to prove that I can drive a car. And I’m using that fact, that thing to evidence my identity for some other purpose. Right? So that makes sense. We’ve got, I’ve got my driver’s license. I’ve got some, you know, early way, DVS as an early way of digitizing that of proving that driver’s license exists over the internet.

Kind of the next step, I suppose, in that evolution after the DVS is, is what we start talking about as like a digital ID, right?

Brett
Yep. So if, so boil down the problem statement, I suppose, that a digital ID is trying to solve one of those is this idea of verifying that the person who is conducting their business online is entitled to use the information to back up who they are. That’s, that’s kind of like the where the digital idea kicks at a level above the DDS. And as we’ll talk about as well, you then are innovating for disclosing only information that is necessary to answer a query. So rather than a big sort of packet of data in response to a single query, the innovation and the level up for digital idea is this idea of only disclosing what is necessary in answer to a query.

Jordan
Yeah, right. So digital idea, will still follow that same model of there’s an authority that I’m pointing to maybe, who’s checked and is confident of my identity. But rather than tying it to the card, we might be able to ask different questions. Can you verify that I’m a certain age? Can you verify that I live in a certain place or that I’m entitled to drive a car? And if we’re doing this in a digital environment without being quite so attached to the card, we can do that for a range of different attributes, right? The set of possibilities kind of expands.

Brett
I’m not sure whether at this stage it’s taking like one step back or step to the side. Maybe just think about what a digital ID actually is, because it’s something that, like, in some ways defies definition or description, because sometimes you will see reporting that it’s a unique identifier or something like this, which it’s not. Or that it’s a card, which it’s also not.

The recently released Digital Identity Bill, I think, does quite a good job at trying to boil it down into a definition, and I’ll read it. Digital Identity for an individual means a distinct electronic representation of the individual that enables the individual to be sufficiently distinguished when interacting online with services. So that’s a legalistic definition, but if you sort of boil that down into something that’s a bit more plain English, and it’s another definition I’ve seen online. A digital ID is the information and data that identifies an individual in the digital world. And I guess what’s happening there with those definitions, it’s really trying to avoid it being boiled down to a single thing or a single capability. It’s recognised that a digital ID really is this combination of features and attributes about a person that when brought together, comprises an ID rather than it being a single driver’s license or a single passport. It really is kind of like this holistic ecosystem of information.

Jordan
Yeah. So that definition of a digital identity is kind of almost a philosophical definition of identity, right? In that like, like it takes us away from this idea of an identity is a card or collection of facts about a person or something, a collection of things about a person?

Brett
Yeah, I would say that it almost, hopefully, is codifying this relational system that has just evolved over time, over the last time, over many years, of the different ID documents speaking to each other and then collectively, you know, it forms a cohesive whole of 100 points of ID. It is sort of actually this articulation of in the digital context, what a hundred points of ID actually means.

Jordan
Yeah, I know that makes sense. So, okay. So, so we’ve got this definition of ID, then we’ve got this set of roles within the system, this diagram you were talking about of providers, ID providers, attribute providers, exchanges, relying parties, how do they interact?

Brett
We start with, with identity provider perhaps as the first role that we focus on.

The role there is sort of enrolling an individual and creating an ID. So digital IDs exist already so that there’s myGov ID that is provided by the Commonwealth Government. There are at least a million, a couple million Australians have a myGov ID. And so in that setting, the Commonwealth Government is the ID provider. It sets up the ID for the individual. And in order to do that, the individual provides, you know…

information depends on what level it is and we’ll talk about the levels a bit later. Especially a person enrolls to an ID provider and they have a digital ID.

Jordan
In the physical case, like my driver’s license, the identity provider is VicRoads, right? Or New South Wales Roads, whatever they’re called. The people who have verified my identity, they’re vouching for my identity in that kind of way.

Brett
Yes, and you’re getting probably a card for example, if there’s a lot less value. Initially, where the value can come is from attribute providers. So this is another part of the ecosystem. And this is where we consider examples like the right to drive, what we’ve talked about earlier, or the right to a government benefit.

Jordan
Which is an attribute in this language. Yeah.

Brett
Yes. And this it gets quite confusing a lot of the time because you’re talking, you know, in a person’s terms a lot of the time that these things are credentials. Like my academic qualification is a credential, but in this sort of digital ID parlance, they’re referred to as attributes, so they’re features of a person’s digital identity. The way that it, so the interplay between the holder of these attributes, so in the case of right to drive, the transport authority, or in the case of academic qualification, is that there is an exchange that sits in between. So, to feed into the digital ID, a request will be routed via the exchange to the attribute provider and there will be a check as to the authenticity of the digital ID and then it will feed back an attribute to the ID which can be added. So say, yes, this person holds this qualification or yes, this person has this entitlement. And so over time, a digital ID can have various attributes added to it that relate to the activities of the individual in the community.

Jordan
Right, so you’ve got this set of actors. You’ve got my ID provider who vouches for who I am. You’ve got an exchange sitting in the middle that connects them to say an attribute provider to say, yep, you know, Jordan has a degree and he’s allowed to drive a car and he’s over 18. They might be different attribute providers, actually, each of them communicating to the exchange. And then you’ve got on the other end of that, a relying party, a website I want to access or a police officer who’s pulled me over at the side of the road or whatever, um, then, you know, so they would, as the relying party query the exchange, you know, the ID provider could vouch for, yep, that’s actually Jordan. And the attribute providers would vouch for, yeah, he’s allowed to drive a car. And then that all comes back to the relying party. We can tick off whatever attributes that they need to validate and on we go.

Brett
Yeah, that’s one of the classic use cases. And one of the, I think, initial consumer use cases that’s going to be rolled out for this is this sort of online purchase of alcohol. So yeah, the classic example would be that you have a digital ID and that is your date of birth as part of your digital ID. You want to buy a bottle of wine or something online. And so your digital ID feed through the exchange to the bottle shop that, yes, you are over 18. You are entitled to make that purchase, and then it can proceed. And I think the critical element there, which maybe we can unpack now, is this feed through to the exchange of, yes, over 18, not born on X date in 1980, whatever.

Jordan
Yep. Yeah. And that’s, it’s one of the things that gets privacy people in particular, I think both excited and nervous about this, right? Cause on the one hand, that functionality fantastic, right? Like if I want to buy a bottle of alcohol, the only attribute that they need to validate is over 18. Why am I giving them my proof that I can drive or my actual date of birth, whatever?

But at the same time, what we’ve just described is a framework for transactions where you have a central party who can see everything, right? Or is involved in like every transaction I make. And so one of the design challenges there is to prevent that central party from actually seeing every transaction where I buy, you know, they can vouch for my identity, but you want to build the system in a way that they can’t actually see what I wanted to buy or why I needed to prove my age, right?

Brett
Yeah, I absolutely agree. I think there’s sort of almost a displacement of the privacy risk in this system. You’re sort of taking the risk away from the relying party who may need to, you know, site or store more personal information than they need to. And that risk is instead is sitting with the exchange in the middle. And this is sort of the big neon red asterisk of the privacy protective nature of the system. And it is genuinely privacy protective the way it’s designed. I think one of the things that’s interesting, useful, lifting as a privacy person being in these discussions is that for once these concepts of minimum collection, minimum disclosure, aren’t controversial. The privacy stuff is sort of the headline item. It hasn’t always been that way. But for this, the privacy protective nature is sort of front and centre.

But it does really rest on how well the exchange in the middle is designed, the cryptographic controls that are built into it to ensure that there’s no visibility in the middle or either side of the information that’s flowing through.

Jordan
Yeah. And that is to be clear, that is core to the design of what’s being proposed in the legislation and the, the existing kind of systems, right? Both that private one connect ID that the banks are rolling out andthe federal legal one, the trusted digital identity framework and this digital identity act, all of those core to that design is that exchange in the middle can’t see anything, right? There’s double-blinded encrypted in a way that means that they don’t see the transactions I’m making.

Brett
Yeah, that’s sort of the exchange is the benefit, but the whole group, the risk, I would say, as well.

Jordan
The question I get to at this point is like, well, okay, that sounds great. Digital ID, great. You know, privacy preserving lets me data minimize, only prove the attributes that I want to prove. Why aren’t we there yet? Like, why don’t we have it? Right. Cause this is something that’s been kicked around in various forms for years and you know, well over a decade. Right?

So I want to just get into some of the reasons and I have my opinions, I’m curious if you agree with them, that there are three core reasons here that digital identity hasn’t quite worked so far. One is just like people don’t like identity, right? Like people don’t like a national ID card. The Australia card always comes up in these kinds of conversations. It was proposed in the 80s, lots of substantial popular opposition to an ID card in Australia. So that’s one.

Problem two or challenge two is that there are some pretty significant inherent risks here if it’s not done right, right? That that surveillance kind of risk or just the connection of identity systems to government power and your ability to cut people off from welfare or enforced tax or immigration or other laws that, you know, it’s a identity is a tool of government power and so people are rightly skeptical tied to that Australia card skepticism.

And three is just hard, right? Like it’s hard to build a system like this. Is that right? Am I missing something or are they the core?

Brett
I would agree. If we go to the card of like the fears around identity, the public skepticism and things like this, yes, the Australia card does always get thrown around as the salient example.

One of the things that we have in Australia, we talked earlier about how there’s this system of reliance of different credentials like passport and driver’s license. It shouldn’t be underestimated the complexity that comes from those different ID documents coming from different jurisdictions in Australia. So you get your passport at the Commonwealth level, you drive a license from your state or territory or authority. And that’s before even private sector interactions occur and stuff like this. So to kind of upgrade or innovate in the identity space requires sort of a cohesive whole of government approach across the various jurisdictions, which is extremely difficult for a multitude of reasons. You know, governments have different priorities. Legislation across different jurisdictions don’t speak to each other. There are a range of reasons.

Jordan
A couple of the states don’t even have privacy laws, right? Like, that’s one that really came up from the Victorians point of view. That’s been a real sticking point, right? That like, how can we trust those Western Australians with their crazy laws or whatever? Like just the like state-based legal interaction and politics and the fact that their privacy laws are just an administrative array, you get all these like really technical kind of debates.

Brett
Yes, I agree. Like, privacy is sort of one, I’d say, fairly salient like example of this, but there are many other sort of fronts around the interests of different agencies, you know, law enforcement, service delivery, and so on in the different jurisdictions that just make it very, very hard for a unified front. And so there’s been a bit of policy gridlockers, maybe a bit harsh, but I feel like that is not an unreasonable description of this area over the last 10 to 15 years.

Jordan
Lining up a lot of those different interests and competing jurisdictions, I think seems to be something that this proposed law is trying to navigate right with that phased approach. I think the last time around a couple years ago, I think under the Morrison government, there’s been some attempts to get digital ID up and running. One of the things I think they did wrong was just tried for too much. Like the proposal included law enforcement face matching against various different drivers’ license and passport databases and all of these things all in one. And it never quite got there. And so what I think the digital ID bill is doing with this and the government with their phased approach is kind of starting with the stuff that we can all agree on. You know, it’s just, or a simple use case, just Commonwealth validating Commonwealth IDs and then, you know, okay, well, let’s add the states in phase two, let’s add, um, private sector in phase three. It seems like kind of a humbler or like more kind of slow and practical approach to navigating those complexities. Is that right?

Brett
I would agree with that. I think that the real emphasis of this round of legislation is on identity verification. So this is that sort of one-to-one proving that someone is who they were claiming to be. As you pointed out, previous iterations of legislation in this area have sort of joined together the idea of verification with identification. So picking out someone in a crowd for law enforcement purposes and stuff like this, they’ve acknowledged the risk there, carved it out and focusing on this verification piece now.

Jordan
Which makes sense because that’s like a completely different use case, right? That, you know, like, again, all of this ID verification that we’ve been talking about or proving certain attributes. Um, yeah. Versus like I have a photo of someone from a protest or from a CCTV camera. I want to know who they are. Yeah. Completely different use case. Yeah.

Brett
And so I would say that, um, yes, well, I guess narrowing the size of the target from a sort of legislative and public policy point of view is likely to hopefully be successful in terms of clearing the way for the government to put some guardrails around the system. I think that maybe is creating its own separate issues with the speed of the rollout. And we’ve seen recently with the Connect ID launch that perhaps the private sector is getting a little bit tired of, of waiting and I came to get going, uh, with this, of their own accord.

Jordan
Yeah. And I feel like there’s a lot of, uh, will in the private sector, especially to, to get something going on this, right. That like post optus, especially you look at kind of private sector submissions to government security strategies or, you know, tech policy consultations and it’s not uncommon that you see that like, we need to solve digital identity, we need a way. Again, it keeps, it’s cropping up in age verification. There’s a huge kind of, a lot of momentum around putting additional protections for kids online in a privacy sense, in the privacy context. And then, and digital ID comes up there. We need a clear way of, a safe way of proving identity there.

So yeah, that phased approach kind of makes sense from a political strategic, not all at once, kind of perspective, but I mean, how far away is phase four? Probably years, right?

Brett
Well, yeah, I mean, in some of the consultation papers that the government has released yesterday, it is a few years away. I mean, these are after consultation, so it’s not a statement of the government’s final position. I think coming back to Optus and some of the various breaches, I mean, it’s creating a bit of a burning platform for government on this and for the private sector as well. This idea that digital ID has been held out as a solution to this retention problem that exists, having to hold on to identity documents as evidence of someone verifying that they’re entitled to open an account or something like this.

Maybe this is spending too long in privacy, but I would just offer a spoonful of skepticism with that. But like, yes, I absolutely agree that as from the day that the digital ID system starts coming into effect for an entity, that’s likely to reduce their risk profile in terms of holding information unnecessarily because of the architecture of the exchange that we’ve described before. But it’s not going to do anything for them for the information that’s already sitting in their system and has been there since the last 10 years or something like this. There is still a retention issue that needs to be addressed. And so this idea that digital ID is a bit of a panacea for retention probably just needs a little bit of qualification.

Jordan
Yeah, no, for sure. Organisations are notoriously bad at getting rid of old data, as we’ve seen in a lot of these breaches, right? But. You know, I think one of the promises, definitely not a panacea, but one of the promises of the digital ID stuff is that they never get their hands on it in the first place, right? That I can prove it without them ever seeing it.

So where are we then with digital ID? We’ve got a proposed law out for consultation and we’ve got a government ID system and we’ve got a private sector connect ID system.

They’re all just operating side by side? Question mark?

Brett
Yes, quick question mark, exclamation mark. It’s super messy. This is the part that I get really confused by for someone who works in this space. Like as you’ve said, Jordan, there are multiple things happening concurrently in this space. It is, as it is right now, it is completely legitimate for there to be entities that are operating within the Australian government’s digital identity system, which is one category. There are entities that may have been accredited under what’s known as the Trusted Digital Identity Framework. So they’ve reached a certain level of assurance through a government framework and perhaps are operating not within that Australian government identity system, but are operating nonetheless. And then you have a third category of entities who are neither. So not operating in that system and not accredited.

Jordan
Which is the bank’s Connect ID at the moment. Yeah.

Brett
So Connect ID has been accredited under the TDIF, but the banks have not been accredited under the TDIF. I think there might be an ambition there. So as a consumer,

Jordan
Clear as mud. Yeah.

Brett
What am I to think? And over time, hopefully this will resolve. The legislation talks about this idea of trust marks. So hopefully be desired to be desirable to receive a government accreditation that will come with it some sort of stamp of approval or a tick. As a consumer, you can just look for that to know that there’s a certain base level of privacy and cyber protection relating to the service. But as it is right now, it is really, really messy as a consumer to know what is going on in this space. What is accredited? What is not?

Jordan
Wildly difficult. So what’s your advice then as a user of this stuff? So if I’m on a log on a website and they’re like, hey, you can prove your ID through your Commonwealth bank account, connect ID, do I click yes? Do I wait for some laws to pass? As a consumer, is this useful to me or do I just wait for this stuff to resolve?

Brett
This is a huge question. I don’t have a neat answer for you, Jordan. It’s probably down to each person’s, you know, risk appetite. What I think rather than sort of being like, hey, here’s what you should do, because I honestly don’t know. Yeah, it’s up to each person. But maybe where I think this is going, perhaps, is that over time as something of convenience, people will become more familiar with proving themselves via a digital ID. It is likely to be made available by banks, for example, I can see being made available during a transaction, you know, would you like to verify it with your bank ID? And then there’s an explainer and people sort of become familiar as part of the transaction.

I don’t necessarily see a huge section of the community just deciding to create their own digital ID upon becoming aware of the values and benefits because just is unlikely to happen because of how complicated it is. But through convenience and through sort of integration in the process, and I think this is the play with ConnectID, there will be this osmosing of practice as people become more familiar.

Jordan
Yeah, just slowly getting people familiar with it. I think of this as kind of where digital payments were 20 years ago or so where, you know, you can do it, there’s systems. It’s a bit iffy, people aren’t sure if they can trust it. And just over time, the systems and the processes and the expectations have developed. And sure, there’s plenty of things have gone wrong. There’s been a lot of frauds, there’s been a lot of challenges, but we’re at the point now where we all know what online payments should look like, and we all just do that as an easy part of everyday life.

I’m imagining that at some point in maybe in 20 years, ID like this is just going to be baseline part of the internet, right? Part of our online lives. We’re just going to be familiar with these systems. We’re going to be willing to prove age here and, you know, location or whatever other attribute over there.

Do you see that as where this is going? Is this chaotic mess that we’re currently in going to resolve itself?

Brett
I think yes. I mean, look, as to the question with the chaotic mess resolve itself, you never know. Yeah. But what I was saying, and these are not original thoughts of my own, we’ve participated in forums run by NAB on digital ID. There’s a fellow by the name, David Birch, he’s done a lot of research into sort of the future of payments. And I guess he’s the underpinning rationale there identity systems and payment systems are going to become over time much more interlinked and that may become a point where there may actually not be a functional distinction between those two things. So yeah, so that supports your thesis that it will just become accepted practice over time. I don’t think it’s coincidental by the way that underpins ConnectID is a consortium of EFTPOS, BPAY and National Payment Platform Australian Payments Plus.

Strategically there’s a bit of recognition of that connection there as well.

Jordan
Interesting. Let’s leave it there on this picture of, I’m gonna stick with, I mean I think you were a bit more ambivalent, but I’m gonna stick with this like optimistic in 20 years time it’s just gonna be a natural and privacy protective way of dealing with the world online. Thanks so much for trying to tease that apart with me Brett, really appreciate it.

Brett
Pleasure. Jordan, thanks very much for having me on.