The government’s proposal for a new digital ID, which would use a mobile phone to replace physical documents, has raised widespread concerns among security experts and non-Labour MPs.
Public Services Minister Bill Shorten on Tuesday announced an $11.4 million trial of a QR code application for mobile phones that would replace a driver’s license or passport to verify a person’s identity.
The Trust Exchange program, or TEx, links a person’s myGov wallet or future digital ID to that person’s identity. This allows them to verify who they are and provide requested information, such as proof of age to gain access to a pub or club.
Mr Shorten said TEx could be used to confirm a hotel reservation without the customer having to hand over a driver’s license or other ID. It could also reduce the amount of information private companies collect.
If someone needs to prove their age, the TEx can demonstrate that the user is over 18 years old without having to reveal details such as a home address.
The technology can store and disclose information such as a person’s date of birth, address, nationality, visa status, qualifications, professional licenses or permits to work with children, and any other information the government holds.
While Mr Shorten hailed the device as the world’s leading means of identification when he addressed the National Press Club in Canberra, others are concerned that someone’s entire identity could be accessed on one device.
According to cybersecurity expert Shara Evans, it can be risky to “put all your eggs in one basket.”
Cybersecurity expert Shara Evans has warned several times against storing too much data in one place
“I like the idea of making it easy to verify someone’s identity without having to give away personal, confidential information and having that confidential information stored everywhere,” she said.
‘However, this needs to be thought through very carefully and plans should be in place for rapid and complete identity renewal in the event of a data breach/compromise/loss of a consumer device.’
“I’m always a little concerned when you have a lot of sensitive information stored in one place, regardless of who’s collecting and controlling it. There are so many dark ways that information can be compromised.”
Others raised concerns about privacy, the fact that it is relatively easy to create fake login credentials on a screen compared to a physical document, and what happens to people who want to log out.
However, Mr Shorten was very positive about the new digital IDs.
“Having an ID as verifiable evidence would be a secure and very efficient way for a company to be sure of someone’s identity,” she said.
“This saves companies money by significantly reducing new customer onboarding procedures and data storage requirements.”
Mr Shorten assured his audience it would be an ‘opt-in’ system, where ‘you choose what’s shared, you consent to what’s shared and you can trust that it’s shared safely’.
Public Services Minister Bill Shorten is testing a new government app that can verify identity without having to present a driver’s license or other documents
“Whatever happens, online or in real life, you choose what is shared, you give permission to share it and you can trust that it is safe,” he said.
He said the proof-of-concept trial had already been approved with “in-principle support” from the Tech Council of Australia, the Commonwealth Bank and employment platform SEEK.
“Once it is implemented, TEx will have countless applications,” Mr Shorten said.
‘It has the potential to drive innovation in our economy and create opportunities across all sectors, including for small businesses.’
‘We are working on this and it should be ready by the end of 2024.
Liberal backbench MP Russell Broadbent has been an outspoken critic of the Albanian government’s digital ID legislation, which was rushed through parliament earlier this year, saying he feared an invasion of privacy.
The Trust Exchange, or TEx program, will be linked to an individual’s myGov wallet, or by the end of the year to the upcoming digital ID,
“His advisers would tell him this is the future, this is the way forward,” Broadbent said.
‘Is he checking for unintended consequences? Problems around freedom of choice, freedom of information, freedom of association?’
Mr Broadbent fears that the use of QR codes to enter venues, as was done by governments issuing Covid vaccine passports during the pandemic, could lead to people being tracked against their will.
“We are facing an unprecedented invasion of our privacy,” he said.
“It would be a further invasion of our privacy as they would aggregate all of an individual’s information into one place, which is also acknowledged in the press release.
“If they keep everything in one place, from a scammer or hacker’s perspective, all you have to do is crack that one place and you’re in the middle of everything.”
Mr Broadbent pointed out that despite assurances that any information from the Covid apps would not be used for anything other than case tracing, Western Australia Police have used QR check-in data in their investigations on two occasions.
“It is a blatant violation of human rights,” Broadbent said.
Liberal MP raised concerns over whether government’s new tool could be used to track movements
Senator Pauline Hanson, leader of One Nation, said she was opposed to the new verification tool, calling it a “dumb idea”
‘Has Bill Shorten considered the full human rights implications in this new process?
‘We’re not even in a pressure cooker right now.
‘What if we were in a war situation, wouldn’t they be allowed to check everything under war conditions? Is there data available?’
Senator Pauline Hanson, leader of One Nation, also told Daily Mail Australia she opposed the measure.
“One Nation has always opposed a national digital ID system and I oppose this latest idea as well,” she told Daily Mail Australia on Tuesday.
‘There is no guarantee about the security of this data. There have been numerous data breaches this year alone, including the Medisecure data breach involving the personal data of almost 13 million people.
What’s to stop a smart person from creating a convincing QR code loaded with fake data?
“What’s to stop someone from using someone else’s phone? I don’t see how this protects establishments from fake IDs or from prosecution for serving alcohol to a minor.”
Senator Hanson said presenting a driver’s license “is as easy to show at a venue as holding a phone up to a QR code reader.”
“I think this is just another stupid idea that puts Australians’ personal data at risk and costs taxpayers money unnecessarily,” she said.
Daniel Lewkovitz, who runs Sydney security firm Calamity, said he was “very cynical” about the government’s claim the measure would remain “voluntary”.
“The government will continue to talk about safety and protecting people, but I would rather see them do a better job of enforcing our existing laws before introducing more legislation that impacts law-abiding citizens.”
Mr Lewkovitz was also highly sceptical about some of the claimed benefits of the measures.
“The funniest thing is that the proposal would combat underage drinking,” he said.
‘It is much easier to forge a picture on your phone than a plastic ID card. While there are security mechanisms in place to prevent this (such as the already existing Service NSW Digital Driver Licence), I have found that neither private security nor the police use these tools to verify the authenticity of the driver’s licence.’
Mr Shorten said in an interview with ABC Radio National on Wednesday that he had asked the agency to use “open source” encryption to increase confidence in the recording.
“We show people the code we used to produce the software,” he said.
‘Services Australia will still do the encryption. I want to make that clear, but I think it’s important if we want to build trust and for the consumer or citizen to feel like they have control.
“The point is that it’s open source and that people with technical knowledge can look under the hood and see that the system works as we describe.”
