Making Data Better

A Big Little Step: Australia Shifts from Digital Identity to Digital ID

February 10, 2024 Lockstep Consulting Pty Ltd
Making Data Better
A Big Little Step: Australia Shifts from Digital Identity to Digital ID
Show Notes Transcript

Australia's online security community - government, banking, and providers - has made a major, deliberate move. Over the last year, the term "digital identity" has been replaced by "digital ID" in government and industry publications and press releases.

Steve and George unravel this deliberate linguistic shift from the amorphous 'digital identity' to the more concrete and pragmatic 'digital ID', and understand why this nuanced change is more than mere semantics. It's a shift that promises greater clarity in technology, legislation, and personal identification. Tune in and explore a future where proving who you are online is not just more secure, but refreshingly straightforward.

Why does this matter? As Steve and George discuss it in this episode of Making Data Better, it accurately shifts the focus of policy and technical work on to the quality of the data used for identification purposes. It frees everyone from the impossible tasks of representing our "identities" digitally. 

Through our discussion, we celebrate the strides made by Australia in addressing the advancement of digital identity systems—a contrast to the comparatively uncoordinated, market-driven efforts seen in the U.S

Steve and George conclude with their perspective on how to secure digital IDs using device-assisted presentation. Plaintext presentation is the enemy. It gives hackers endless opportunities to copy (via data breaches) and replay (via fraud) that data. There is a straightforward solution that we have done before: marry the cryptographic strength of how chip cards are secured to the convenience of smartphone presentation and we have the opportunity to remove breach incentive by making our digital ID data better.

There's plenty of work ahead but there's great power in what could be an uncontroversial, technically practical, achievable approach. So take a listen. 

Speaker 1:

Welcome to Making Data Better, a podcast about data quality and the impact it has on how we protect, manage and use the digital data Critical to our lives. I'm George Peabody, partner at Lockstep Consulting, and thanks for joining us with me as Lockstep founder, steve Wilson. Hi, steve, good day, george. How are you? I'm doing very, very well. So a lot of fun today and an important topic because I have to say, as an American, I'm having a great time watching the evolution of the digital identity work in Australia, our country, compared to the US, where, look, we've got lots of smart people, as we heard from Jeremy Grant in an earlier episode, but it's fairly uncoordinated the thinking about how to handle the problem and task of online identification. In Australia, we have the federal government. You've got some of the states working more or less in harmony around this problem of digital identity and data breaches, because a lot of that has happened, of course, over the last couple of years. So well done, steve. I'm glad we're having this conversation about what's happening in Australia.

Speaker 2:

Yeah, and Australia's been part of an international effort for I think 25 years with the Five Eyes countries the US, canada, new Zealand, australia, the UK. We've had different legislative models for digital identity for the last 20 years. I think that what we have in Australia now is the third draft bill that we've had in 10 years. So we've been working on this for a long time a lot of smart people. I think the significant thing that's happened in Australia is a shift in perspective from digital identity, which is amorphous and contested and organic and personal and just like real world identity, and there's a shift here. I think it's a deliberate shift to the term digital ID, which might sound like we're splitting hairs or playing word games, but should we unpack that right now? Yes, let's do it.

Speaker 1:

Again, I've observed the same thing that in the documents that have been released from the federal government and from a national Australia bank, They've abandoned that term digital identity in favour of digital ID. So yeah, unpack that for us.

Speaker 2:

And that shift is not an accident. We know from talking with NAV that it's a deliberate shift. Digital identity appears to be the digital version of identity. Now I don't want to get into a whole lot of glossary terminology and definitions and be too semantic about this. I just want to speak about how we tend to use these terms. So, identity, who am I? What makes me me? Digitising that, of course, is an impossible problem. It means different things to different people. Technologists fatally use the term digital identity in different ways. There's a range of dictionary definitions and they don't line up. So that's a problem. To start with, digital ID, on the other hand, what is an ID? If I ask you, george, for an ID, maybe I'm a barman and I'm asking you to prove your age, then you'll know what to do. If you're a student and we ask you for your ID, you'll know what to do. If you're visiting somebody, say you're visiting your own company, the office in Australia, and the security person says, hey, mr Peabody, show us your ID, you'll know that it's an employee ID. So we casually use the term ID. We know what it means. There's lots of them. There's driver's licenses, passport certificates, medicare cards. They're all IDs. Digital ID guess what? It's just the digitised fact, the digitised attribute. Now there's a number of technologies that make the presentation of those IDs more or less secure and we can come to that. The important thing about the Australian legislation is that it's just settled on the term digital ID. It's not about identity, and that's super important because for 20 years we've been invariably led down the path of a new universal way of proving who you are. And that is so problematic. I don't need to go there. I don't think I need to tread that ground again. We know that the universal digital identity certainly in the US, australia, the UK it's not even found upon its taboo. I don't think we need. The greatest news in all of this is that we don't need it.

Speaker 1:

Exactly. It would simply be yet another attribute when we already have attributes in abundance that have been developed and put out in the world because they have particular use cases, particular context. Yes, we have IDs, like a driver's license that gets used in other contexts, arguably appropriately or not. I have to show my ID to the bar man to prove I'm over 21. He actually sees where I live and my name and all of that, which is none of their business. I can imagine that, with the right development, the right user experience design, that it would actually be possible to walk into a bar and show my smartphone and that would just tell the bar man yeah, this guy is over 21. Beyond that, he doesn't need to know anything about me.

Speaker 2:

Piece of cake Right Piece of cake technologically so easy.

Speaker 1:

Yes, that's really up around. We're creating a digital ID, or we need a digital ID, or we need a collection of digital IDs these individual facts for individual use cases. If you're opening a bank account, you need a collection, or the bank needs a collection of digital IDs attributes about you in order to make a risk decision to whether to bring you on as a customer or not.

Speaker 2:

And I think that what the government in Australia has let Sean to so remember. We've had the world's biggest data breaches as an appropriated basis in the last two years in Australia, and everybody's driver's license number is assumed to now be stolen. Some of the state governments responded to these breaches by giving you a free option to renew your driver's license. But, oh my God, it was the proper response. But let's play a long game. Are we going to renew our driver's license every time there's another data breach? Of course not. The problem is not the driver's license itself, the problem is the replayability of the number, and we have this bad habit of plain text presentation of all of those IDs. Now I think the Australian government has rethought this with some clarity and some precision and said you know what the problem with identity crime? Identity crime is not identity theft, or identity theft doesn't steal anybody's identity. It's just a catchall for what's actually data theft. So we don't have an identity crime problem, we have a data problem. And if we could make those IDs more reliable so that they can't be stolen and reused behind our backs, but instead of being presented in plain text, these IDs are presented cryptographically or using mobile technology, that would solve the identity crime problem without any new universal identity. So it's a really clean reframing of the problem that we need to solve.

Speaker 1:

Yeah, you know, I like that, because adding any other attributes or indeed just building higher security walls, or what we see in regulators doing all the time is demanding that those enterprises that store data about us put higher walls and stronger walls around them. But the problem is that's really a very difficult task and it's all we're doing is repeating the processes that, ultimately, we really haven't worked for the last two decades.

Speaker 2:

So it's a futile arms race expecting to take this data. We should make the data less radioactive and less usable to criminals, and I think that that's the opportunity we've got in front of us with digital ID in Australia.

Speaker 1:

Well, the good news is that we've, as a society, we've done this before. If you look at what the payment card industry did with its EMV chip cards, what that put in place was, running along with every payment transaction, there is now a piece of cryptographically encoded data that gets sent to the issuer of the bank, the issuing bank of that card, and that assures that the issuing bank to the issuing bank that it is indeed their card, the card that they put in the hands of their card holder, as opposed to and this was designed, of course, to replace what we now think of as a plain text data problem that came off of the MagStripe at the back of the cards. That MagStripe could be copied over and over again, and what the card industry did was put a little bit of intelligence in those microchips, a little more intelligence in the terminals, read them, and then, of course, intelligence in the back end, the issuing bank to really provide a mechanism for device presented or device assisted presentation of data, as opposed to just presentation of plain text. So I think what you're saying is and I know what you're saying perfectly well that what you're saying is we should be doing the same thing for all these other digital IDs, or all these other IDs to make them securely digital.

Speaker 2:

Yep, we've done it before. I think if you go all the way back to the paper credit cards of the 1950s and then plastic cards, you know embossed cards in the 60s and 70s, magnetic stripe cards, chip cards and now mobile phones, the account number is the same. It's the same data. It's a 16-digit primary account number. It's the same data all the way through. For 70 years. It's been the same data. But we've made the data better by presenting it. Now we present it with the assistance of a chip. So two chips talk to each other the chip in your card or your phone, the chip in the merchant terminal. They know that this is genuine data and, as you say, there's a little bit of cryptography, a little bit of a code that goes with the core data to prove that the core data has come from a real bank and it's been presented with the consent of the card holder. So exactly I mean just to really round the point home if you took your Medicare card or your driver's license or your employee ID and used that same cryptographic trick, so that it wasn't plain text anymore but it was device assisted, I sincerely believe this is going to sound over the top, but we could do the same thing to identity crime today as what we did to card crime 10 to 15 years ago. You could cut it by I don't know, let's model it, george but you could cut it by 70 or 80% in a couple of years and you would then neutralize the black market. Install the data. Most data breaches now are driven by criminals. They're done by organized crime. They have incredible resources, incredible guile to break into Optus and to break into Medibank Private and to break into the social administration of the United States. You can't stop these criminals. What you can do is you can remove the incentive by making the data so much better that it's useless to criminals, and I think that that is the way that we seem to be thinking about digital ID in Australia now.

Speaker 1:

And compared to where we were even 10 or 15 years ago. We actually have the back end technology, but we also have in the hands of virtually every citizen, the device that can store a digital ID or a collection of digital IDs. That device also manages and creates a user experience and guides the user experience for the sharing of those digital IDs. So, in other words, we've got the tools to put this kind of device-assisted presentation in place across all the IDs that we need to be able to share in our day-to-day lives. Not to say it's not a lot of work.

Speaker 2:

It's not prepared earlier. Yeah Look, the latest figures from the Reserve Bank of Australia show that 35% of card payments are now done via mobile wallets, so that idea of tap to pay or click to pay is so habituated. Now I think, George, you talk about the pattern. There's a consumer pattern. We know how to use this technology. That proportion of the population that's comfortable with this stuff now is rising. It could be 50%, 60%, 70% in a couple of years' time. So why don't we just abstract that? If you can click to pay, then you should be able to click to prove your ID any ID and you'd put it in a wallet. People are familiar with that presentation. Now, such a powerful latent superpower that we've all now got in our pockets.

Speaker 1:

And those credentials could be released either in an operating system level wallet, a third party wallet that contains multiple credentials, or over 15 years ago, I did some research about how many apps are customers willing to use to affect their payments, and it turns out it was a fairly large number. The reason is we know which app we want to use to get a particular job done. It's just like we know which. Prior to that, we knew full well which card to pull out of our wallet in order to either make a payment or, as you said earlier, to present our employee ID to get access to the building. We know what we need to use. We have pretty much a fairly unencumbered device in order to store and present credentials. I know we're going to be talking about the digital wallet evolution in an upcoming episode, so why don't we leave it there, steve? This is exciting. There's definitely the opportunity to make data better here.

Speaker 2:

Yeah, thanks, george. It was your idea to have this quick podcast. We're breaking our normal format and just having a chat between the two of us, but we've all been reading a lot of press reports in the last few weeks and a lot of well-meaning confusion about what is the digital ID and what's the digital identity and how does this matter. So I hope that what we've done now is to position this and show now that shift is subtle but really important. It allows us to conserve the IDs that we've already got. It makes that data better and it makes it easy to present. I think that we could be using these IDs just as safely and as quickly and as easily as we use our virtual credit cards.

Speaker 1:

All right, stephen, thanks a lot. See you next time.

Speaker 2:

Cheers, george, take care Bye.