The Identity Verification Services Bill 2023 (the Digital ID Bill) was passed by the Senate this month.
According to the government the Digital ID System will address the need for a “secure, voluntary, and inclusive method” to verify Australians online, because “recent cyber incidents” have proven the need for identification to be “reliable”. Somehow, this is all said without the slightest hint of irony.
Just last year the story emerged that the government’s flagship Digital Identification system, ‘myGov’, had been ‘hacked’ to the tune of over half a billion dollars. Fraudsters claimed $557 million from the Australian Tax Office (ATO) by creating false myGov accounts and linking them to the tax files of 8100 genuine taxpayers. They replaced the bank details of real people and businesses with their own.
This ‘recent cyber incident’ did indeed prove the need for identification to be secure and reliable. It also proved that government is not the organisation to make it so.
But this example of the government’s profound lack of competence with information technology is not isolated or rare. The government’s track record of implementing reliable and secure digital infrastructure projects could only be described as appalling.
How can the government claim that its digital identification system will be voluntary and inclusive when it has been knowingly acting unlawfully with identification for years?
Who can forget when Queensland Health tried to implement a new payroll system? They blew their budget by 20,000%, costing Queensland taxpayers an astonishing $1.2 billion and requiring 1,000 new staff to manually manage the payroll. The independent inquiry described the debacle as “the worst failure in public administration in Australian history”.
Then there was the disastrous Robo debt scheme. The Australian government tried to build a system to detect welfare fraud and overpayments. 443,000 Australians were abused and wrongly accused of fraud or Centrelink debts. Some were so distressed by the abuse they took their own lives. There was a class action lawsuit resulting in a $1.8billion pay-out from the government. The debacle led to a Royal Commission which described Robo debt as a “human tragedy”.
Then there is the $1.5 billion My Health Record project. The former head of the project, Paul Shelter, famously said he would opt-out of the My Health Record system that he himself was responsible for building because of the poor security model. He disliked that your private and personal data can be accessed for reasons of public revenue. He said that the poor security, along with the way people were being signed up (without their express consent) was “symptomatic of the way government handles IT”. The National Audit Office confirmed recently that My Health Record still fails to appropriately manage cybersecurity risks.
With a resume of disasters like these, how can we be expected to trust the government to build a secure and reliable digital identification system? The centrepiece of the system – myGov – has already been hacked successfully.
But the demonstrable lack of trustworthiness of the government with regard to digital identification extends beyond incompetence. The Government has for years been unlawfully using identity verification services without any legislative basis in breach of their own privacy laws. A Senate inquiry heard that the Document Verification Service has been used over 140 million times by approximately 2,700 government agencies and industry organisations. That was just in the past year alone.
443,000 Australians were abused and wrongly accused of fraud or Centrelink debts.
In addition, the Face Verification Service was used 2.6 million times. Senator Shoebridge stated that “The conclusion that pretty much every stakeholder has drawn is that the current identity verification services procedure is unlawful and, in the absence of any statutory underpinning, is open to legal challenge”.
He warned that the government was facing “potentially significant civil damages” that could be “aggravated by the fact that they continue to operate a service knowing full well that it is unlawful, and in breach of the privacy laws”.
The newly passed legislation is clearly a case of the Government giving itself legal permission to do what it has been doing unlawfully. Digital Rights Watch told Senators that the government was now retrofitting a legislative foundation to an existing set of practices and rushing the Bill through to protect itself from liability. The Law Council of Australia also criticised the use of these services without any laws underpinning it.
How can the government claim that its digital identification system will be voluntary and inclusive when it has been knowingly acting unlawfully with identification for years? The long history of catastrophically botched digital infrastructure projects prove that we absolutely cannot trust in the government’s competence. But its equally appalling record of disregarding privacy and identity – to the point of ignoring its own laws – prove that it cannot be trusted with our privacy or personal information at all.
And let’s not forget that as recently as 2022, a whopping 90,000 South Australian public servants payroll data was hacked … https://www.abc.net.au/news/2022-05-18/13000-more-sa-public-servants-involved-in-data-breach/101078646. Government has zero competence protecting your privacy. That do the opposite. The use your information against you and let other bad faith actors access it. Do not trust the government. Timely, clear-thinking from Jaimie Stevenson in this article. Big thank you!
Correct.
The laughable mandatory data protection training I’m subjected to is merely adding insult to injury – “don’t accidentally allow someone to know your password, don’t click on phishing links” while mandating worst practice password policy and sending phishing emails to “test security” – when all along the government can’t be trusted due to malice and incompetence is entirely typical of the public sector.
These people can join the long list to be first against the wall when the revolution comes.