The Weekly Cybers #31
Shorten announces a digital ID Trust Exchange but it’s just a proof-of-concept with many unanswered questions, public servants get a new AI policy, and much more.
Welcome
There’s plenty of action this week as Parliament returns for its spring sittings — with a digital ID Trust Exchange being the big item. It’s only a proof-of-concept project, but it’s certainly of interest.
There’s also a new responsible AI policy for the public service — except defence and intelligence — plus the usual plethora of smaller items.
Shorten announces digital ID Trust Exchange
Government services minister Bill Shorten used his speech on Tuesday to the National Press Club on the future of government services to announce plans to develop a digital ID Trust Exchange (TEx), to “give Australians the ability to verify their identity and credentials based on official information already held by the Australian Government”.
The system would allow an issuing authority, such as a state government for driver licences or a university for professional qualifications, to provide a digital version of that credential to be kept in a user’s chosen digital wallet — not only the wallet in the myGov app but also the Apple or Google Wallet in their smartphone, or other third-party wallets.
The Trust Exchange would then provide the infrastructure for the user to provide the personal information a service provider needs — and only that information — and verify that it’s valid, without the service provider needing to keep that personal information on file.
The exchange would use a system known as verifiable credentials, an established open standard for the exchange of digital credentials.
The architecture is broadly similar to how Apple Pay or Google Pay allows you to use your credit card (a credential issued by your bank) with a vendor without them ever knowing your card number.
It is unclear to your writer exactly how this relates to the existing digital ID project being run out of the Finance portfolio to develop the Australian Government Digital ID System (AGDIS), whose goals seem broadly similar.
According to Shorten, “TEx will not duplicate Digital ID, but builds upon the investments already made in that system, including all the consultation and the digital ID infrastructure”.
“The difference between myGov and MyGovID is that MyGovID (owned by ATO) does just the one thing — it proves your identity to both government and business. On the other hand, myGov (owned by Services Australia) is a ‘place’ where you can use your MyGovID to conduct up to 16 Government services online (and we will keep adding more).”
Perhaps this means that Finance will provide the overall policy-making and accreditation work, while Services Australia provides the technical infrastructure for feeding the digital wallets and real-time verification. Meanwhile MyGovID will be just one kind of identity credential that can be used in the system. I guess?
But who knows. These new projects are still under development.
TEx has a budget of $11.4 million “as part of the Digital ID project” and is currently in the proof-of-concept stage, Shorten said.
“Between now and December, TEx will establish: the ability to issue a verified credential; the ability to selectively share information; and the ability to prove your identity without sharing any information.”
The proof-of-concept is scheduled to be completed by January 2025, after which the government will “assess what our options are for pilots”.
One big problem will be adoption by organisations outside of government.
Shorten gave the example, echoed in pieces such as ABC News’s explainer, of proving to licensed venues that you’re over 18.
“Take the case of someone going to the local RSL and wanting to prove they’re over 18. The plan with TEx is that they’d just hold their phone to a tap-to-pay style machine and a digital token will be sent to the club vouching for their identity and that they’re over 18. Not even their actual age is disclosed, merely that they are over 18. The token will be a valuable promise to the club, but of zero value to a cybercriminal.”
As one digital ID expert told The Weekly Cybers:
“Great. But no one has a clue how thousands of pubs are going to be equipped to receive those credentials, whether it’s by tap or click or whatever, and interpret them.”
Indeed, pubs and clubs are unlikely to want to spend money on yet another terminal — especially clubs which already have their own membership systems.
Still it’s early days yet. Stay tuned.
Reactions to TEx have been mixed
The success of TEx will depend on one crucial factor, and that’s public trust, according to Toby Murray, associate professor of cybersecurity at the University of Melbourne.
“Right now, with the ghost of the Robodebt royal commission findings still very much alive, the public has every right to be distrustful of government technology.”
Digital rights group Electronic Frontiers Australia (EFA) was more scathing, calling the proposal the mother of all personal data honeypots.
EFA chair John Pane said the plan “appears to be lacking necessary and essential detail in specific areas around privacy, equity, cyber risk during build and implementation phases”.
“There is no information about whether the TEx would conform to the law enforcement data access restrictions as provided in the current Digital ID legislation, and this is particularly concerning in light of the UN’s just passed international cybercrime treaty that focuses on digital data sharing across jurisdictions with a very low bar set for both human and digital rights protections.”
Pane notes that every use of TEx would involve information passing through government infrastructure, with the status the system in relation to the new Digital ID Act unclear.
There’s also the question of who pays for each verification action, and whether that cost might be passed on to consumers. So far the government has been silent on these issues.
On the other hand, according to minister Shorten the development of TEx will involve an enthusiastic Telstra and Google, and there’s in-principle support from the Tech Council of Australia, Commonwealth Bank, and employment platform SEEK.
RELATED: The Australian Strategic Policy Institute (ASPI) has released Australia’s new digital ID system: finding the right way to implement it, a report which outlines a number of policy recommendations. “Although the proposed federated model for a digital ID system is commendable and a needed step-forward, there is a need to still address a range of policy issues that — if left unresolved — would jeopardise trust in the system.”
Public servants have a new AI policy
A new Policy for the responsible use of AI in government comes into force on 1 September, which applies to all “non-Corporate Commonwealth entities” except for defence and intelligence agencies.
“Defence and members of the NIC [National Intelligence Community] may voluntarily adopt elements of this policy where they are able to do so without compromising national security capabilities or interests.”
In addition to making safety a priority, the policy says public servants “need to be able to explain, justify and take ownership of advice and decisions when utilising AI”, and “Have clear accountabilities for the adoption of AI and understand its use”.
Agencies must [their emphasis] designate accountability for implementing this policy to accountable official(s) within 90 days. That means responsibility will lie with specific individuals or to the chair of an oversight body.
The policy also strongly recommends that agencies provide training AI fundamentals to all staff.
Agencies “make publicly available a statement outlining their approach to AI adoption and use within 6 months,” and review it at least yearly.
The 15-page policy also sets our principles for reviewing and evolving their AI use, and integrating with the whole-of-government capacity building.
As Julian Bajkowski writes at The Mandarin:
“The accountability regime means that public servants keen to deploy the technology will have someone to check over what they are doing. That’s a sensible first step in limiting the mess that overenthusiastic new users can make.”
While the government is certainly concerned about public trust in AI since robodebt, Bajkowski notes that “there was no robotics, algorithm or artificial intelligence in robodebt”.
FINDING THIS NEWSLETTER USEFUL? It’s currently unfunded, so do please consider throwing in a tip.
Also in the news
- In the wake of the robodebt scandal, the Australian Public Service Commissioner is being given clear powers to investigate former agency heads for breaches of the code of conduct. The Public Service Amendment Bill (No. 2) 2024 also makes those powers retrospective.
- Meanwhile service minister Bill Shorten wants to open the sealed section or the robodebt royal commission report — but he doesn’t have the power to force it.
- The Bureau of Meteorology’s new supercomputer is live ($) after sitting idle for ages (6 August 2023). The agency's troubled IT refresh project following a major hack, ROBUST, has cost more than a billion dollars ($) and the Senate has ordered all the documents to be produced. Those documents are expected to be tabled in parliament next month.
- ASIO boss Mike Burgess reckons ‘three or four’ countries are involved in foreign interference in Australia, including “friends”.
- “The Australian Defence Force has officially signed on to the rapidly evolving domain of ‘cognitive warfare’ after it established a new discreet Cyber Command within the Joint Capabilities Group,” reports The Mandarin.
- Australia’s new National Science and Research Priorities were published this week. They are: transitioning to a net zero future; supporting healthy and thriving communities; elevating Aboriginal and Torres Strait Islander knowledge systems; protecting and restoring Australia’s environment; and
building a secure and resilient nation. Obviously there’s more detail in the actual documents.
- The Treasury Laws Amendment (Consumer Data Right) Bill 2022 was finally passed. This relates to open banking and moving accounts freely between energy and telecommunications providers. Information Age has this explainer.
- The Australian Competition and Consumer Commission (ACCC) reckons that more than half the cryptocurrency ads on Facebook are scams or violated Meta’s policies, a claim made in a Federal Court ruling last week.
- The Australian Securities and Investments Commission (ASIC) is suing the Australian Securities Exchange (ASX) for misleading the market when they said in 2022 that their idiot and now-abandoned blockchain-based CHESS replacement was “progressing well” — so well that at least $250 million had to be written off.
- Telstra and Optus have agreed to postpone the 3G network shutdown by two months, pushing it back to 28 October.
Data breaches and hacks of note
- Australia’s largest gold producer Evolution Mining has been hit with a ransomware attack.
- Ransomware gang RansomHub has claimed multiple Australian targets including engineering companies McDowall Affleck and Kempe Engineering, as well as Hudson Civil Products.
Elsewhere
I seem to have settled on this section being things which aren’t about Australia or aren’t about what the federal government is up to, but which are still relevant in some way.
- It’s a year since South Australia banned mobile phones in schools, and there are now similar bans across Australia. While politicians reckon it’s going well, an education professor says real evidence of the benefits is still lacking.
- Meanwhile New York state voters support banning smartphones in classrooms by a wide margin, and that’s across the political spectrum.
- “NBN Co has now shifted ‘around 375,000’ users to full fibre connections courtesy of its fibre-to-the-node and fibre-to-the-curb overbuild programs, with claims it managed to convert 10,000 premises in a single week,” reports iTnews.
- Australians travelling in remote areas can now use portable Starlink satellite internet. The hardware costs $799 and the unlimited data plan is $174 per month.
- From the Lowy Institute, Byte-sized diplomacy: Will governments ever reign in Big Tech?. “Google took a hit in the courts last week, but the ruling might not be as important as the information revealed in the case.”
- From the Washington Post a detailed report on the booming industry of AI age scanners aimed at children’s faces. They rely on a style of surveillance that ranges “from ‘somewhat privacy violating’ to ‘authoritarian nightmare.’”
Inquiries of note
I’m somewhat surprised that there’s nothing new this week, but I guess there’s a lot going on.
What’s next?
Parliament continues next week before taking a break until 9 September.
The Senate draft legislation program includes debate on the Criminal Code Amendment (Deepfake Sexual Material) Bill 2024 and the Telecommunications Amendment (SMS Sender ID Register) Bill 2024, with the latter expected to pass without controversy.
In the House of Representatives we expect to see debate on the whole Future Made in Australia thing.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.