Australia Digital ID Bill criticized for biometrics testing barrier, phased rollout

National banks and a biometric testing provider have expressed concerns in submissions to parliament on the Digital ID Bill that will govern the Australian Government Digital ID System (AGDIS). BixeLab commented that the bill as it stands can hinder testing integrity. Banks and others have also argued the private sector should access digital IDs at the same time as state governments, rather than maintain its current multi-step plan, according to InnovationAus.

The Digital ID Bill was first introduced to Parliament in November and includes a number of rules referring to biometric testing. BixeLab submitted an inquiry to parliament supporting the oversight of accreditation by a regulator as outlined in the bill, arguing that it will facilitate change in response to the emergence of novel threats.

The company opposes that the bill leaves it up to the discretion of the regulator as to whether or not independent testing would be required. The committee should “consider an amendment … to make explicit that testing … may be prescribed to be independent of accredited entities,” the submission reads.

A clause in the bill bans the collection of racial or ethnic attributes, which hinders BixeLab and other testing providers from using such data to assess racial bias in biometric algorithms, it notes. Additionally, the bill as it currently stands limits the retention of biometric data for testing to 14 days.

The two-week timeframe “is not a sufficient period to complete testing and associated fraud investigations for more complex and novel threats and attacks,” says BixeLab. It suggests the maximum period for retaining data should be extended to at least 28 days, and preferably to 60 days.

BixeLab also says the three month accreditation period for testing entities could be extended.

The bill outlines which entities will be able to implement AGDIS in a series of phases but not when each phase is expected to begin. As the bill stands today, state and territory governments would have access in the second phase and citizens could use digital IDs to access private sector services in the third phase. The private sector, including current digital ID providers like IDVerse, will only be able to access government services in the fourth and final phase.

The Department of Finance argues that a phased-in approach will give the government a chance to see that the system is operating as planned before continuing to roll out digital IDs.

The National Australia Bank (NAB) argues that whether an organization meets security standards should determine when they can access digital IDs – not an arbitrary deadline.

“Accreditation should be the barometer of an entity’s maturity and applicability for joining the system – not an artificially constructed timeline which does not relate to an organization’s capability to satisfy the state requirements,” states NAB’s submission to parliament.

Australian Payments Plus (AP+), which runs the ConnectID digital ID system that Commonwealth Bank of Australia and NAB currently use, says that the government is prolonging national cybersecurity risks by dragging its feet on private sector access.

Equifax, one of the two largest private users of the government’s currently available identity verification services, says in its submission that delays in private sector access could “undermine consumer confidence in dealing with business and government” as digital identity fraud becomes more sophisticated.

Other submissions from civil rights groups call for stronger restrictions on law enforcement’s access to the system.

Article Topics

Australia  |  Australian Government Digital Identity System (AGDIS)  |  biometric testing  |  biometrics  |  BixeLab  |  digital ID  |  identity verification  |  legislation