Tag Archive for: privacy

Getting Australia’s digital Trust Exchange right

To realise the potential of the Digital ID Act and the recently unveiled Trust Exchange (TEx), the government must move past political soundbites and develop a comprehensive identity and credentials strategy that includes building technical architecture and conducting an end-to-end security assessment.

The government is yet to publish the rules and standards in relation to the Digital ID Act, which was finally passed May. We’re also still waiting to hear details of TEx, a world-leading digital identity verification system, which Government Services Minister Bill Shorten unveiled in August.

The Digital ID Act was the government’s response to the 2022 data breaches at Optus and Medibank, which prompted a fundamental reassessment of what sensitive data should be collected and how long it should be stored. Businesses should still conduct checks on customers—for example, to prevent money-laundering or alcohol sales to minors—but a better solution is needed than simply storing digitised copies of paper identification documents.

A digital ID scheme had been proposed for many years in different guises, but the 2022 breaches finally led to a new draft legislation in September 2023, kicking off the process that led to the Digital ID Act.

This Act is a major step in the right direction. It provides a legislated basis for a federated trust system and avoids creating a unique identifier for every citizen or a centralised ‘honeypot’ of data about people and their transactions. The accreditation rules include strong privacy and security safeguards to build trust in the system and put individuals in control of what personal data is disclosed to whom and when. However, as I outline in a recent ASPI report, there are several policy issues which, if left unresolved, could jeopardise successful deployment and adoption of the digital ID system.

Based on the limited details released so far, TEx could be on the verge of repeating many of the same missteps.

TEx appears to be a system that securely shares specific identity attributes for in-person interactions through a digital identity app on a handheld device. One example is proof-of-age checks at licenced premises: in lieu of physical documentation that shows the customer’s date of birth, the app simply verifies whether they are over or under 18. This would prevent data breaches such as the Clubs NSW incident, in which hackers stole data from patrons’ drivers licences that had been routinely scanned and stored.

But the sparse details about TEx are contradictory and ambiguous, causing some to be sceptical of the scheme. Shorten has suggested that it will ‘build upon digital ID infrastructure’, using the existing identity exchange operated by Services Australia and the myGov app, supported by some sort of record of each identity verification transaction. But this contradicts accreditation rules for the identity exchange, which specifically prohibit it from keeping logs of user activity.

This sort of ambiguity leads some to assume the worst, such as Electronic Frontiers Australia who claim the system will create the ‘mother of all honeypots’ and enable centralised surveillance. It doesn’t help that a recent Ombudsman report suggested that the myGov app currently falls well short of expectations on security and fraud prevention.

The government is also setting unrealistic expectations about the benefits of TEx, with Shorten suggesting that it will achieve ‘some of the best aspects of the GDPR’. The introduction of GDPR—the European Union’s data privacy and security law—had a dramatic effect on companies’ security and privacy practices because it was backed by massive penalties for non-compliance and encompassed all aspects of data collection, storage and usage. In contrast, Australia’s TEx, a voluntary system that might allow some organisations to opt out of collecting some personal data, is never going to have the same level of impact.

The incentives for companies to opt-in are unclear. Big names such as CBA and Seek have apparently offered ‘in-principle’ support, but this may change when they hear more details, particularly about costs.

It is also unclear how these different IT systems, owned and operated by different departments, will fit together to provide end-to-end service, security and privacy. TEx will be built by Services Australia, ‘on top of’ Digital ID infrastructure set up by the Department of Finance. Meanwhile the Attorney-General’s Department is developing a mobile app that alerts users whenever their identity credentials are used.

To execute these systems successfully, the government must develop an overarching identity and credentials strategy across the Commonwealth and the states and territories. This should include technical architecture, based on sound system engineering principles, that outlines how the different systems will work together. There should also be an end-to-end security assessment to ensure data confidentiality and resilience in the system. To achieve this, the government must break down departmental silos and build public support through transparent information and debate.

These new digital ID systems have the potential to increase privacy standards, reduce data breaches and improve the public’s experience of government service delivery—but only if it is properly executed. This opportunity is too big to squander.

Naming names won’t stop abuse on social media

Yesterday, Prime Minister Scott Morrison lambasted social media platforms for enabling abusive and aggressive comments from anonymous users. Calling social media a ‘coward’s palace’, the prime minister said that ‘Cowards who go anonymously onto social media and vilify people and harass them and bully them, and engage in defamatory statements, they need to be responsible for what they’re saying.’ Morrison foreshadowed that his government would be taking action on this issue.

In April, the government was reported to be considering imposing a law requiring Australians to provide 100 points of official identification to open social media accounts on platforms including Facebook, Twitter and Instagram, as well as dating apps like Tinder. The idea was strongly opposed by experts, who said that the measure would be ineffective and create privacy risks.

The idea that anonymity is a primary driver of antisocial behaviour online is frequently and widely asserted. Empirical research in this space reflects a vastly more complex picture, however, which varies from platform to platform and between demographics and social contexts. The internet is not a monoculture; it is a rich variety of subcultures which engage with anonymity and identity in diverse ways.

It’s undeniably the case that anonymity is sometimes used for the purposes of abusive behaviour online. It doesn’t follow, however, that users are necessarily any less abusive under their real names, or that mandating identification would resolve the problem.

For one thing, Facebook already has a real-name policy. This measure has been modified several times over the years in response to criticism that it disproportionately impacts marginal communities and endangers victims of domestic violence and stalking.

It’s not at all clear that this policy has made Facebook a more civil, kinder place than social media platforms which do not enforce real-name policies. A recent and highly consequential example of this is the High Court decision to hold media companies accountable for comments posted on their Facebook pages. The decision came in the context of severe online abuse targeted at plaintiff Dylan Voller.

Morrison referenced the case in his comments on Thursday, saying, ‘[Social media users] should have to identify who they are. And, you know, the companies if they’re not going to say who they are, well they’re not a platform anymore, they’re a publisher. They’re a publisher, and you know what the implications of that means in terms of those issues.’

However, there is no indication that a significant number of the users posting abusive comments about Voller were not doing so under their real names. A cursory glance through Facebook comments on any controversial topic will indicate that many people are only too happy to make cruel comments under their own names. It’s not clear how a requirement to provide a driver’s licence or other ID to open an account would change that behaviour.

This is not to suggest that there’s not a small minority of Facebook accounts which attempt to conceal the identity of their users and engage in abusive behaviour.

It doesn’t follow, however, that requiring government identification to open a social media account for all Australians is a proportionate or effective policy response. A high bar for evidence of necessity, safety and effectiveness should be required before the government asks Australians to accept a measure which almost no other country has imposed.

In 2004, amid concerns about the spread of election misinformation online, the South Korean government imposed a law requiring users to provide their national identification numbers before posting on election-related websites. In 2007, in response to a series of online abuse scandals, the requirement to identify users was broadened to all sites with more than 300,000 daily visitors.

Studies show that during the time the policy was in operation, there was no significant decrease in online abuse. For example, the Korean Communications Commission found that ‘hateful’ comments decreased by less than 1% during the first year the policy was in force. Other studies found short-term decreases in online participation and the number of violent comments, but saw no long-term changes. The policy doesn’t appear to have prevented the spread of misinformation or conspiracy theories.

What did happen, however, was a massive hack in which 35 million South Koreans’ national identification numbers were stolen.

The policy was struck down by South Korea’s Constitutional Court in 2012. The court said that it was unconstitutional, undermined democracy and intimidated citizens from voicing legitimate criticism of influential figures. The court also found no proof that the law helped decrease libel or the spread of rumours and false information.

‘Expressions under anonymity or pseudonym allow [people] to voice criticism on majority opinion without giving into external pressure,’ the court said. ‘Even if there is a side effect to online anonymity, it should be strongly protected for its constitutional value.’

Other democracies have also pushed back on real-name policies on social media. In 2018, a German court ruled that Facebook’s policy was illegal.

In 2021, the only country imposing a requirement for government identification on social media users is China, where privacy rights and the effects on democratic free speech are clearly not a concern.

For almost a decade, the Chinese Communist Party has been trying to enforce real-name policies for social media users. Over the years, these laws have become more and more restrictive as China has ramped up and refined its increasingly high-tech form of authoritarianism.

Earlier this year, Chinese tech giant Tencent implemented facial recognition technology to scan the faces of users of its gaming platforms. This followed moves by the CCP to crack down on gaming by minors, but there are fears the policy will be expanded for broader surveillance and control of social media users, particularly young people.

Online abuse is a serious problem. Proportionate, evidence-based policies should be implemented to address it.

It’s not at all clear that anonymity is the primary driver of abusive and antisocial behaviour online. It is even less clear that requiring government identification for social media users would do anything to fix the situation.

What it clearly would do, however, is create a host of new problems. It would pose barriers for marginalised communities and risks to people like domestic violence victims. It would provide a tempting target for hackers, pose a range of privacy issues and enable greater surveillance by both government and social media companies.

Every nation is struggling with how to manage the negative aspects of social media while retaining their many positive elements. Fellow democracies have found laws requiring government identification to be ineffective and harmful, while authoritarian China has embraced them.

That alone should be enough to give Australia pause before implementing any such policy.