The rushed passing of the Digital ID Bill 2024 through Parliament (with only three weeks of consultation provided) is extremely concerning.

We don’t think that Australians realise exactly what the consequences or potential consequences of this new law will be unless further amendments, clarifications and safeguards are put in place.

With respect, we do not understand why there is a need for this regime at all at this stage when Australia is woefully unprepared in terms of its current privacy laws (which require significant amendment to bring it in line with GDPR/Californian amendments). According to Digital Rights Watch, “in Europe, many countries have established digital identity structures; however, these systems are built on robust rights-based frameworks and a mature rights-respecting culture that we do not currently enjoy in Australia”.

The centralisation of every Australian citizen’s private and sensitive information in one place should be enough in and of itself to be feared, and we have now seen instances around the world where the centralisation of this data presents a real problem (e.g. India). As stated by the NSW Council for Civil Liberties (NSWCCL): “It potentially creates a ‘honeypot’ of personal data stored in a centralised database that would offer a tempting target for cyber criminals or hostile nations.”

Indeed, it is our view that this proposed new legislation could, in fact, have the opposite effect of what is intended in terms of security. Surely, the practical consequence of this will be that there will be more data being collected by the government, all its agencies, including law enforcement, the Australian Taxation Office and large companies, which will continue to collect what information they need and store it. So, really, it provides hackers with another lot of entry points that may only be a password away from all that centralised information.

This is an extremely dangerous proposition. It also represents a serious incursion into the legal rights of Australian citizens to privacy. Most don’t really know how fundamental that right is until it is taken away. The problem is, once we provide these powers to the government, it is extremely difficult, if not practically impossible, to gain those freedoms back.

In the capitalist world, that right to privacy is enjoyed, and separation of the powers of legislature, judiciary, and executive arms of government is paramount. When the government steps in and starts to make inroads into either of the other arms, then we often find adverse results. It is commonly known that small government is preferred.

This represents an overreach of that power into the fundamental human right of privacy, which, if extrapolated, you start to see a movement towards a totalitarian/communist regime like China, where the movement of all individuals is tracked and monitored. You may think we will never get like that in Australia, but this is the start towards that, if we let it happen. It becomes a slippery slope/slow melting ice cube.

VIEW ALL

Privacy lawyers (like ourselves) and civil libertarians have voiced serious concerns about this legislation. The NSWCCL submission to the Senate economics and legislation committee on 19 January 2024 goes to great lengths in pointing out the issues, deficiencies, and practical issues such as data governance, biometric issues, and the Australian Government Digital Identity System (AGDIS).

It is extremely well researched and written and is recommended reading. UNSW Allens Hub has also made several submissions on the proposed bill and has raised serious alarm bells about safeguards, mission creep, biometric technology and its impact, among others on 17 January 2024. Digital Rights Watch also provided well-drafted submissions on 11 October 23 and cited issues in relation to the rejection of the Australia Card, the high opt-out rate of the MyHealthRecord scheme, the deficiencies of the current Privacy Act, raised concerns about the need for meaningful consultation to build trust and the need for urgent privacy reform and to do that prior to the Digital ID system being put in place if it is to continue, the severity of consequences in relation to biometric data which cannot be understated, the sharing of digital ID with law enforcement without justification for access, data profiling and tracking and many other concerns.

With all the concerns raised, one then wonders why we need this at all. Isn’t the risk greatly outweighed by the proposed benefits of “making things easier” and “more secure”? There have been some concerns raised about whether in fact the service providers are behind the large push for the hardware and software systems to be put in place.

There are clearly some large corporate interests driving this legislation through and at pace. The fast tabling of this legislation has been a result of a number of recent high-profile data breaches, and tackling cyber crime has been touted as one of the benefits of the AGDIS. However, it is unclear how exactly it would do that.

How much can we trust governments with access to all this data? Even the ATO was able to be defrauded out of $557 million of hard-earned Australian tax-payer dollars by the exploitation of what appears to be a simple loophole in their system, not even a sophisticated attack, even after apparently being warned by the “big four” banks that it was happening!

The issue is there is no accountability or responsibility taken as a result of it. It doesn’t appear as if any head rolled as a result of that. They’re not in the business of keeping our information safe and secure. If anything, I would wager the ATO would like more access to it to track and measure.

As the NSWCCL points out: “Alternatives to centralised digital ID systems exist and have been built through blockchain and self-sovereign identity using blockchain technology” (see World Economic Forum’s article on 12 August 2021). “In fact, the final report of the Senate select committee on Australia as a technology and financial centre recommends that Australia embrace technologies such as blockchain and decentralised computing.”

Biometric information

A key feature of Digital ID is the integration of biometric technology to facilitate identification.

The OAIC’s 2023 Community Attitudes Survey found that only 49 per cent of Australians are comfortable with biometric information – facial recognition, iris, fingerprint, voice – to verify their identity online. Within the current state of technology and regulatory framework, there are insufficient safeguards to mitigate risks of biometrics – especially with pending reforms to Australia’s privacy framework not yet enacted. Our view is that biometric verification should not be conducted for Digital ID.

Clause 48 requires the immediate destruction of biometric information collected during digital identification – but a breach is still a risk. Data breaches involving biometric information are significantly more harmful than other personal information because you cannot change a person’s fingerprint, voice or face the same way you can change a bank password.

Digital Rights Watch points out, that “given that Australia’s Digital ID system relies heavily on the collection, use and disclosure of an individual’s biometric data as well as other personal and sensitive information, the risks to an individual’s privacy, security, safety and wellbeing should the system suffer a security breach or other forms of misuse are immense. The use of biometric data is particularly dangerous, as generally speaking, people cannot readily change their biometric data, making it exceptionally difficult to remedy in the case of a breach.”

Biometrics are also open to “man-in-the-middle attacks”, in the view of the UNSW Allens Hub during the stage of its transformation into data, which raises cyber security and fraud detection risks. As the NSWCCL states: “The use of biometric technology, at any point of authentication, introduces substantial privacy and security risks” and should be avoided altogether.

Computer misrecognition errors of facial recognition also risk mislabelling race or gender identity and subjecting Australians to bias. The notion that biometric technology accurately verifies identity is unverified.

The digital ID scheme of India discriminated against large groups of people and subjected citizens to surveillance and data breaches. Australia should learn from these failures.

We join UNSW Allens Hub in calling for further study into biometrics before its widespread use as the Digital ID’s primary form of authentication. “Biometric technology’s promise of accurate verification remains largely unverified and untested ... evidence worldwide has shown the limited theoretical work conducted in this field.”

Unfortunately, Digital ID may put Australians between a rock and a hard place. Biometric verification is risky, especially in its infancy. Alternatively, a passcode is easy to hack. As the NSWCCL says: “The proposed scheme is only as secure as one’s phone or other personal device. Having a weak password, losing or having a device hacked could lead to all of the data being compromised.”

Surveillance

As it stands now, there aren’t adequate protections in place to stop the mass surveillance of the Australian government and agencies over all Australian citizens.

“By linking personal identification data across federal and state jurisdictions as well as the private sector, the federal government has complete oversight over the lives of Australians. There should be no justification for allowing Digital ID data for surveillance” (NSWCCL). This, together with a potential Central Bank Digital Currency (CBDC) would mean that the government would have access to every piece of private information, your movements and spending at all times. If that doesn’t frighten you, I’m not sure what will.

Clause 54(1)(b)(iii) allows disclosure of biometric information and personal information if authorised by a warrant. Clause 50(3)(c) exempts the prohibition of data profiling to track online behaviour if use or disclosure is required or authorised by law. However, guidance has not been given on which circumstances permit this exception – diminishing public trust. As Digital Rights Watch points out: “No justification has been put forward for allowing such access ... We recommend that law enforcement agencies should be explicitly prohibited from accessing Digital ID data held by any accredited entities.”

Digital ID links tax records, passports, health records, pensions, payments, allowances and more. The NSWCCL rightly condemns data centralisation because it facilitates mass analytics, behaviour profiling and targeted advertising to flourish.

AGDIS is expanded “initially across government services and then facilitating the reciprocal or shared use of the Digital IDs between public and private sector organisations”.

Additional safeguards are necessary to prevent misuse by law enforcement for mass surveillance purposes. Our view is that law enforcement should be expressly excluded from accessing data from Digital ID. Digital Rights Watch rightly points out that the government has not justified the provisions enabling access by law enforcement. The NSWCCL believes “that the proposed safeguards are not sufficient. There should be no law enforcement access to information in the Digital ID system with or without a warrant. Trust in the Digital ID system should at least be on the same level as the federal COVIDSafe app, which prohibits access to a law enforcement body.”

We don’t need Digital ID. We need a Human Rights Act and Privacy Act reform urgently.

Ian Aldridge is the founder and principal, and Gianluca Pecora is a paralegal, at Progressive Legal.

Lawyers Weekly will host its inaugural Partner Summit on Thursday, 20 June 2024, at The Star, Sydney, at which speakers will address the range of opportunities and challenges for partners and partner equivalents, provide tips on how they can better approach their practice and team management, and propel their businesses towards success. Click here to book your tickets – don’t miss out! For more information, including agenda and speakers, click here.