The Australian government’s enthusiasm and seeming haste to roll out its favoured model for the proposed Trust Exchange to verify identity and credentials is generating resistance around the private sector, above all among an array of firms that specialise in digital identity.
Last Tuesday Bill Shorten, the minister for government services, outlined the concept and purpose behind the Trust Exchange, also to be known as TEx.
TEx is in the ‘proof of concept’ stage, with Services Australia leading a multi-agency effort to fully develop the strategy, business case and business model for the proposed Exchange.
Other than Bill Shorten’s speech and media release, the government has shared scant information that explains the analysis, strategy and consultation leading up to Cabinet approval for what is being billed as “brand new and world leading digital infrastructure.”
Thanks to the information void, practically all national and business media reporting on TEx has repeated the government’s key messages, delaying more probing analysis.
A select range of businesses, including Commonwealth Bank and the Tech Council, were briefed in advance and have offered support.
Trust Exchange, it seems, is wholly and solely the product of thought leaders and departmental leaders on the Australian government payroll.
David Hazlehurst, CEO, Services Australia
Under Shorten’s, or his department’s model, data on a person’s credentials such as their drivers licence of passport will be centrally stored via a revamped myGov, and it is this feature of the proposed Exchange that is attracting the most heated criticism.
One alternative is for distributed proof points that ensures the individual retains ‘self-sovereignty’ over their data.
Ryan Bessemer, the CEO of ShareRing, a Melbourne-based digital ID company, is among those advocating for a model similar to that used in the UK.
“The UK and EU aren’t in the business of issuing digital ID via government owned platforms like myGov, they accredit digital ID providers to provide bespoke solutions to banking, hotels etcetera in the private sector” Bessemer said.
“Centralised government databases can be subject to threat actors.”
One strident critic of the proposed model for Trust Exchange is AI analyst and futurist (and former Microsoft adviser) Marie Johnson.
Under the government’s preferred model “it will be a massive honeypot of all users digital footprints, and great for profiling” Johnson wrote in a post on LinkedIn last week.
“There is no getting away from the honey pot being created, notwithstanding the claims that there is no unique citizen identifier.”
Johnson argued there were diverse – but not necessarily complementary - business cases that might support development of the proposed exchange.
She labelled these “as a general mash up of Cyber, convenience and ‘time saving’. Each of these factors is a different business case and brings different risk profiles.
“Layer over this proposal the security holes identified in the Ombudsman’s report on Services Australia’s response to myGov fraud.”
Two weeks ago the Commonwealth Ombudsman reported on unauthorised linking of genuine myGov customer's member services accounts to a 'fake' myGov accounts without the customer's knowledge or authorisation - for the purposes of fraud.
The Ombudsman’s report exposes systemic weaknesses on the part of Services Australia oversight of myGov. These findings included:
• myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred.
• And most damningly, “an apparent lack of formal processes for managing shared risks across the myGov ecosystem.”
There may be one further dimension to the proposed Trust Exchange that warrants examination: whether or not the scheme satisfies guidelines for Commonwealth purchasing and public value.
Perhaps Services Australia and the Department of Finance need to test the market and solicit requests for proposals.