Australia’s digital identity trust exchange to launch by end of year

Australia will roll out its comprehensive digital identity program by the end of 2024 as the government prepares to formally announce its national Trust Exchange, or TEx, which will enable digital identity verification across a host of services and transactions.

NewsWire reports that Government Services Minister Bill Shorten will make the announcement during his address to the National Press Club on Tuesday.

Services Australia will oversee the process of bringing TEx from its current proof-of-concept stage to full public implementation. Credentials will be housed in the myGov wallet, and will store personal data such as date-of-birth, address, citizenship, visa status, qualifications, occupational licenses, safety checks and other information the government already knows. Users will control what data is shared to meet ID requirements, minimizing the potential to provide unnecessary sensitive information.

A digital token system will also enable a simple transaction to verify details without the exchange of any personal information at all – a so-called “digital thumbs up.”

“You choose which information to share from your digital wallet and consent to its use,” says Shorten’s prepared speech. “You will have a record in your myGov wallet of what you shared and with whom you shared it.”

Shorten will reportedly point to examples of ID verification or identity exchange such as booking a hotel room with digital ID, or “the case of someone going to the local RSL (Returned and Services League of Australia) and wanting to prove they’re from interstate or that they’re over 18.” They could just hold up their phone to a scanner, which would retrieve a token that vouches their identity. “None of that information needs to be kept by the club. The token will be a valuable promise to the club, but of zero value to a cybercriminal,” because it contains no data, only a confirmation.

The government is leaning heavily on the message that the TEx digital identity scheme will make data safer with its “rigorous privacy and security standards.” Data protection protocols are to be tighter than the EU’s General Data Protection Regulation (GDPR).

Services Australia scolded over lax myGov fraud response

The Commonwealth Ombudsman has dropped the hammer on Services Australia, in a report summarizing its investigation into the agency’s response to myGov fraud arising from unauthorized linking to member service accounts.

The report, “Keeping myGov secure,” says unauthorized linking “is where a genuine myGov customer’s member service account is linked to a ‘fake’ myGov account without the customer’s knowledge or authorisation.” The Mandarin quotes ombud Iain Anderson, who says “people have told us about the stress and anxiety they experienced when their personal information was stolen, and fraud committed in their name.”

Services Australia, says Anderson, has not done enough to strengthen security for unauthorized linking leading to tax fraud. His report finds that “myGov’s current security controls do not adequately protect people from unauthorized linking where identity theft has occurred,” and notes an “apparent lack of formal processes for managing shared risks across the myGov ecosystem.”

There is also bureaucracy in the way, as “Services Australia’s ability to provide a coordinated response to customers reporting data breaches and fraud may be limited by its enabling legislation.”

The report puts forth four recommendations and two suggestions to help Services Australia get its data protection ducks in a row. They generally urge the agency to take a look at its current processes and work together with other agencies to implement better controls, such as multi-factor authentication (MFA) for high-risk transactions.

“Agencies who administer a system or program involving multiple agencies, such as myGov, should ensure they have a holistic view of associated risks to identify opportunities to improve the system and support other participating agencies to uplift their capability,” says a section entitled “Lessons for all agencies.”

“These agencies should also understand the levels of risk involved in the system and ensure risks that could impact other participants are managed effectively, including through identifying and managing shared risks.”

The overarching message? Do better at fixing the problem of unauthorized linking and other scams.

Article Topics

Australia  |  biometrics  |  digital identity  |  digital wallets  |  face biometrics  |  government services  |  identity verification  |  myGov (Australia)  |  Trust Exchange (TEx)