The laws passed the Senate in late March and will go before the lower house in the upcoming parliamentary sitting period, although the ID itself (called myGovID) is already up and running.
So how do digital IDs work, why do we need them, and is Australia’s system actually going to be any good? This is what you need to know.
Not to be confused with digital licences – which are just a computerised version of a physical card – a digital ID is a system that allows Australians to quickly and easily identify themselves without having to provide “points” of ID to a range of organisations.
“I often talk about avoiding that painful process of collecting 100 points of ID – having to scan them, get them printed and get some undecided back of them and like exactly all of that physical paperwork and face to face interactions,” Lauren Perry, a responsible policy specialist at the UTS Human Technology Institute, told 9news.com.au.
“You can get them verified once and then you’re good to go to use them online for multiple interactions.”
In essence, the digital ID acts as a go-between between the user and the organisation that wants to verify their identity.
“I use the analogy of it’s like going to the pub and someone being your wingman,” University of the Sunshine Coast computer science lecturer Dr Erica Mealy told 9news.com.au.
“It’s like setting that up through an app on your phone.
“So when you go to an organisation, you type in their number that they give you, which is registered with the government scheme, into an app that you have on your phone.
“And then it contacts that organisation through the pathway that they have approved with the government and says, ‘Yes, we’ve got Erica’s app you, I can verify this is Erica’.”
At the moment, the app that does that is the government’s myGovID, but private providers could get involved after the legislation passes.
“The thing I like about this scheme is they are talking about also having third parties involved,” Mealy says.
“If you look at someone like MasterCard or Visa, they have a vested interest in making sure that they don’t have fraud in the network.”
”The current system is plagued by identity theft, fraud, and a lack of control over personal data,” Dr Philip Bos, a security expert and founder of privacy protection software company BlueKee, told 9news.com.au.
By sharing personal documents and other information with a single provider, the digital ID would – if implemented properly – negate the risk of identity theft from the likes of the data breaches and hacks that hit Optus, Medibank and Latitude in recent years.
“Australia is designing the system with a lot of security benefits,” Perry says.
“So hopefully a benefit of the system is that we’ll have less of those security breaches like Medicare and Optus because we’re not sending those digital scans (of ID documents) via email to set up a bank account that kind of thing.
“So it’ll actually stop that over-sharing of personal information… you won’t be sharing that data in and of itself, you’ll just be sharing a kind of tick of approval.”
In addition to the practical, personal benefits of not having to replace licenses, passports and other documents after a hack, Mealy says the digital system can also provide benefits to small and medium-sized businesses that need to verify their customers’ IDs.
“From a cybersecurity perspective, it reduces what we call the ‘attack surface’, that being the risk of our information getting out because the more organisations that have it, the more accessible it can be,” she says.
“A lot of our small to medium enterprises, perhaps they don’t have as advanced cybersecurity practices – often they cost a lot of money, they take up a lot of expertise.
“So we’re trying to protect those other organisations from attack as well.”
Before passing the Senate, the digital ID legislation was put before a committee, which heard a number of concerns from experts about the new laws.
Perry says most of those have since been addressed – although one remains.
“There were definitely concerns that we had and we appeared before the committee hearings and provided submissions around things like voluntariness, inclusion and accessibility redress mechanisms, and a lot of that has actually been taken on by the government and included as amendments, which is fantastic.
“I think the one thing that isn’t quite up to scratch that we were hoping for is the law enforcement and police access to information.”
Under the laws, police will require a warrant to access any information stored as part of a digital ID, but Perry says the restrictions could be tighter.
“There are some protections in there. Police can’t just access whatever they want,” she says.
“But it’s a lower threshold than we would have liked to have seen. So we would advocate that any law enforcement or police access needs to be highly restricted and for investigation of serious crimes only.”
And while the system will mitigate the risks of data breaches from cyber attacks on all the organisations that would otherwise have stored copies of IDs, there is still the possibility of an attack on myGovID.
“It’s susceptible to what we would call an ‘adversary in the middle’ or a ‘man in the middle’ attack,” Mealy says.
“That means if someone can get between the app and the government servers, then that can cause problems. But this type of system is generally vulnerable to that kind of attack.”
Overall though, the system is a step in the right direction, Perry says.
“It is actually a really decent piece of legislation,” she says.
“There’s good redress mechanisms that will be built into the legislation, destruction of information, that kind of thing. So on the whole, we’re pretty happy with the way that they’ve amended it.”
While some of the concerns aired in Senate committee hearings did go to the voluntariness of the system, the digital ID, as currently legislated, will be completely voluntary.
While the legislation is yet to pass, myGovID is already up and running, although only for around 130 government services – you can’t use it to identify yourself with private companies yet.
The legislation is expected to pass parliament in the coming weeks once the House of Representatives begins its next sitting session following the Federal Budget on May 14.
As for when private companies will get access to the system, that is due to happen within two years of the new laws coming into effect.