Data security and privacy figures have raised concerns over the federal government’s plan for a new digital identification system dubbed Trusted Exchange (TEx), with some believing it could become a “honeypot” for cyber criminals if it is not designed correctly.
The system, announced last week by Minister for Government Services Bill Shorten, would allow Australians to use a mobile phone to verify their identity instead of sharing sensitive documents, such as a driver licence or passport, with businesses and organisations.
Shorten said the opt-in system would be “decentralised” but would rely on “official information already held by the Australian government”.
Following the announcement, the government said the data would be kept “with the issuing authority and on your personal device”, and confirmed multiple federal departments — and eventually state and territory governments — would be involved.
Shorten also said TEx would work with a user’s preferred digital wallet, including the digital wallet provided by social services platform myGov.
The announcement left some industry figures concerned about how TEx could be targeted by criminals, but the push for a more secure ID system was welcomed following years of disruptive data breaches involving companies as large as Optus and Medibank.
Toby Murray, an associate professor of cyber security at The University of Melbourne, told Information Age that while it was a “laudable goal” to create a decentralised system in which citizens decided how much of their data was shared with third parties, there was limited detail in the government’s plan regarding where and how personal data was stored.
“That left a lot of questions about data privacy and security and trust in the system, that I think are really important to understand so that people can decide whether they want to use this system,” he said.
John Pane, the chair of digital rights advocacy group Electronic Frontiers Australia (EFA), raised concerns about whether TEx would lead to increased government surveillance and described the system as “the mother of all personal data honeypots”.
Other industry figures including CEO of digital services and AI firm The Centre for Digital Business, Marie Johnson, warned against tying TEx too closely to myGov, which had its own security issues detailed in a recent Commonwealth Ombudsman's report.
“What to do? Move swiftly to ruggedise myGov as per the findings of the Ombudsman’s Report,” Johnson said.
“Make this the absolute priority, and not treated like some sort of annoyance getting in the way of the next exciting digital thing.”
Government promises security and privacy
Shorten said TEx would impose “rigorous privacy and security standards”, but has not detailed them.
The Tech Council of Australia, whose membership includes major tech companies, welcomed the government’s promise of data security.
CEO Damian Kassabgi said the government had assured him that officials would not be able to track where a digital ID had been used.
He said the system would feature “additional protections written into rules that go above and beyond existing privacy laws” to protect personal information.
The TEx system will work using QR codes and NFC tap-and-go devices at venues, the government says. Photo: Shutterstock
Toby Murray from the University of Melbourne argued the government needed to regain the public’s trust in its digital services in the wake of the failed Robodebt scheme.
“[TEx], in many ways, would be a system that's almost one of a kind, if they are to roll it out,” he said.
“Rolling out a system that is the first of its kind is, of course, much more challenging than buying well-proven technology that's already been shown to work and deploying it.”
Is there a role for the European model and existing tech?
Some Australian digital ID companies have pushed for the adoption of models similar to those in the United Kingdom and European Union, where governments certify private companies and digital wallet providers to offer some digital ID services.
Ryan Bessemer, CEO of Melbourne-based ID company ShareRing, told Information Age that he saw TEx as “quite a good idea” but questioned its worth when solutions already existed in the market.
“It seems somewhat short-sighted and preemptive — more of a political move — to offer a solution or try to find a problem,” he said.
When he announced TEx, Bill Shorten said he wanted Australia to avoid “the regulation and complexity” of Europe’s General Data Protection Regulation (GDPR), which he also called “the gold standard”.
Bessemer argued the industry needed regulation and accountability both for governments and for private ID companies which held people’s data.
“Governments seem to be sort of Teflon-coated when it comes to being accountable for personal information,” he said.
“There are no consequences, but there are consequences to business.
"This is why the concept of pushing accountability back on to businesses and digital identity service providers is important, because it brings accountability into the system.”
The government says TEx will be accessed using digital wallets, including the one offered in myGov. Photo: Tom Williams / Information Age
Toby Murray said he saw merit in the European models because they could reduce the centralisation of data, but believed identity information being stored by multiple providers “might open you up to other risks as well”.
Bessemer said he was also confused by the government’s decision to create a market for accredited digital ID providers through its Digital ID bill which passed parliament in May, only to create what appeared to be a centralised government service in TEx.
“This to me calls into question why the government is creating a service that will be in competition with those businesses that are now being certified against the new digital ID bill that’s passed,” he said.
“Will TEx be accredited against the same framework?”
Tech Council CEO Damian Kassabgi said the government had assured him that alongside the introduction of TEx, private companies could “continue to innovate in this critical technology to meet the demand of consumers”.
While the government said both Telstra and Google would be involved in the development of TEx, neither company would elaborate on the work it planned to carry out when contacted by Information Age.
The development of a TEx proof-of-concept is expected to be finalised by the end of 2024 at a cost of $11.4 million, before a pilot phase is considered in early 2025.
