APF concerned about DTO’s identity framework project


news The Australian Privacy Foundation (APF) has raised concerns about the way the Digital Transformation Office (DTO) has proceeded about setting up its new Trusted Digital Identity Framework (TDIF) project.

The TDIF is a planned DTO service that will verify the identity of individuals so they can access government services via a “federated verification product”, according to the APF.

On 23 August, the APF sent a submission to the DTO identifying a range of concerns over the project, commencing with a warning that many similar schemes in recent years have suffered from “abuses”.

The number of such failures means “public distrust of the machinations of federal government agencies is entirely rational, to be expected, and very difficult to overcome”, the APF said.

In the submission, the APF moves on to complain that the DTO has not yet started ‘engagement’ with civil society, despite the project having reached Alpha phase.

The APF added that it is not aware of any preliminary privacy issues analysis (PIA) being performed by the DTO.

“This would have provided an informed base of documentation on which the current project’s consideration of privacy concerns could have built,” it said. Instead, according to the group, only one meeting was called, and “substantive documentation provided only at the last moment”.

The DTO is also suffering a lack of transparency, the APF said, with regard to participation in the scheme, the intended uses of the accounts, the experiences of similar DTO-cited projects overseas, and the relevant legal landscape.

To address these shortfalls, it said, the DTO should “respect government policy” and a initiate a multi-phase PIA process “immediately”.

Further, consultative processes should be treated as an urgent matter, and design factors that have emerged during the initial phases should be regarded as “tentative” pending “effective engagement, feedback and reflection of the feedback in the architecture and design”.

Moving to to its analysis of the DTO identity product, the APF suggested that the intended beneficiaries of the project “appear to be government agencies”.

“The proposal offers modest benefits to citizen/consumers, in the form of fewer demands for registration details, because a single ‘identity provider’ can be used for interactions with multiple organisations. Repetitive authentication process, however, are no less onerous, although the interfaces may be more consistent than they otherwise would be,” the Foundation said in the submission.

Any benefits aside, the APF warned that Australian citizens face “serious risks” in using the scheme.

“There is the very real possibility of security breaches, both by insiders and outsiders,” it said. “There is the very real possibility of conversion from voluntary use to opt-out or mandatory use, of correlation among identifiers, and of function creep.”

If abused, the scheme would represent a convenient stepping-stone to a national identification scheme,” the APF went on. “That would shift the imbalance of power even further away from individuals, and threaten political freedoms.

It is “vital”, according to the APF, that the privacy protections built into the scheme be “very substantial”

An alpha prototype of the service is currently due for release on 29 August, although that has now been postponed, according to The Mandarin.

Image credit: Adrian Yee, Creative Commons