What Sezoo thinks of the Australian Trusted Digital Identity Legislation
Consultation on Phase 3 of Australia’s Digital Identity legislation took place between 1 and 27 October 2021, Sezoo provided a response to the legislation with seven key observations. You can read about the consultation process (and when published, see how others have commented) on the Australian Government Website here: https://www.digitalidentity.gov.au/have-your-say/phase-3
You will be able to read our full submission online on the government site when it is published, meantime here are the magnificent seven.
Sezoo’s Seven Observations
- Identity is always important, but not always needed.
- The exposure draft includes terms that embed current technology implementations making the Bill date rapidly
- This is about “Trusted Digital Identity”, nothing more, or less.
- We need many trusted identities and many systems, not one.
- You don’t need to ‘blind’ yourself to things that you didn’t see, nor forget things you never knew.
- The Bill and the accompanying rules should enable a flexible ecosystem
- The Bill and TDIF rules constrain the implementation solution.
Let’s expand on these points:
- Identity is always important, but not always needed.
While we recognise the need, at times, to “prove” identity to appropriate levels of confidence in order to initiate or complete a transaction, we reject the concept that this is prerequisite for all transactions. Some transactions demand identity to be proved, some do not. In almost all instances, it isn’t the identity of an individual that is ultimately at question, it is the capability and rights of the individual, not who they are but what they are recognised as being capable of, their “credentials” in the general sense of the word. Implementing systems and policies that insist that identity is part of every type of exchange erodes privacy, security and trust. - The exposure draft includes terms that embed current technology implementations making the Bill date rapidly
The definitions section includes terms that are specific to the current implementation of TDIF (for example, the definitions of attributes, credentials and identity exchange). These embed current architecture and practices that are tightly coupled to the current TDIF implementation and make the Bill resistant to future developments. There are already better technology frameworks than those assumed by The Bill. The Bill should be technology neutral. - This is about “Trusted Digital Identity”, nothing more, or less.
The exposure draft defines a digital identity system to mean:
“a system that facilitates or manages either or both of the following in an online environment:
(a) the verification of the identity of individuals;
(b) the authentication of the digital identity of, or information about, individuals.”
The Bill should be used for the purpose for which it has been defined, and no more than this. It does not, for example, provide a “fit for purpose” framework for credentials or digital trust in the general sense.
- We need many trusted identities and many systems, not one.
A key benefit of the government bill and government defined system is to simplify and secure digital access to government services. This helps to fulfil a duty of government and the rights of its citizens. The use of the same system for commercial environments, and indeed, in the fullest implementation of the vision, to *all* Australian environments, is an overreach that would directly impact the privacy and security of Australian citizens – achieving exactly the opposite of the intended effect. Single system solutions of all kinds are vulnerable to attack, technically, socially, and politically. - You don’t need to ‘blind’ yourself to things that you didn’t see, nor forget things you never knew.
The TDIF architecture, with its reliance on an identity exchange, creates privacy issues that it then seeks to overcome through rules (for example, no data is to be kept by exchanges) and/or through cryptographic techniques (“blinding” transaction enablers to the identity of the participants). An exchange is involved in every transaction, and the reliance on an identity service provider for authentication in every transaction creates a “call home” record – both are privacy eroding and unnecessary, and are required purely because of the current technical implementation. - The Bill and the accompanying rules should enable a flexible ecosystem
Australia needs a digital trust ecosystem that is robust, economic, and designed to support multiple services with specific functional, commercial and technical needs. The ability for multiple services to coexist and coordinate within the governed technical ecosystem and governance framework is not articulated in the Bill and supporting documents. Commercial organisations will be unlikely to commit to being a service provider or a relying party (assuming they have a choice) under the current framework, and the commercial engagement with a government owned entity is unlikely to be preferred. - The Bill and TDIF rules constrain the implementation solution.
The current TDIF design and the exchange dependency is fragile to change, will struggle to support transactions with different service levels, won’t provide transaction throttling and prioritisation based on service distinctions, or flex and prioritise based on capacity constraints. Removing the reliance on exchanges is preferable, but would require fundamental redesign. While the current solution provides purely government services, this architecture may be acceptable. But the infrastructure necessary to support differentiated, commercial offerings requires considerably more design flexibility, “always on” and “service nuanced” change capabilities, and resilience, and these are not provided by the current system.
About the Author
