Home Affairs Department bureaucrats, repeatedly thwarted in recent years in attempts to sneak through a radical expansion of government collection and use of biometric data, are using recent major hacking of big corporations to again push an agenda which would see the department become a national repository for all Australians’ biometric data.
Justin Hendry at Innovation Australia reported yesterday that a department official, Gudiya Riddell, said last week that corporations shouldn’t be holding identity verification documents because “biometrically [anchored] digital identities and digital credentials can help to limit the amount of personal information that an organisation collects by enabling an individual to share only the minimum amount of information needed for a transaction”.
Instead, home affairs could operate or nationally coordinate a biometric data repository that corporations would instead use to verify identity.
That is exactly the idea put forward by Peter Dutton and home affairs secretary Mike Pezzullo in 2019 — which was savaged by the Andrew Hastie-chaired parliamentary committee on intelligence and security. That would have created a biometric data hub run by Home Affairs in coordination with state governments, which corporations could have accessed for identity verification (with users’ permission).
The committee ripped the idea apart when home affairs drafted the proposal so widely as to allow myriad other uses for the biometric data, with no privacy safeguards or accountability requirements, no independent oversight, and plenty of room for endless expansion of what data was included and the purposes for which it would be accessed.
That reflected a longer-term ambition on the part of home affairs and its predecessor department, immigration. In 2014, immigration tried a similar trick as in 2019 — using legislation to sneak through a massive expansion of its powers. It proposed an unlimited power to keep biometric data on everyone entering and leaving Australia. Again, the intelligence and security committee stopped it, with Labor MP Anthony Byrne leading the charge against immigration bureaucrats.
Dutton then proposed a more voluntary border biometric data collection system in 2017, claiming it would enable much faster arrivals at Australian airports.
Now the hacks of Optus and Medibank Private are being used to justify another push for home affairs to become the one-stop shop for all your biometric data needs.
The risks of such a treasure trove of data are the same as they were nearly 10 years ago: home affairs has a woeful record on data security, a rotten record on procurement matters, and it failed to implement the government’s own basic cybersecurity standards for many years (along with most other departments).
And once biometric data is stolen from home affairs or some third-party IT vendor obtained through one of that department’s many bungled procurement processes, the damage is permanent. You can get a new driver’s licence or passport; you can’t get a new fingerprint or iris.
The “key learning” from the Optus/Medibank/whoever’s-next hacks are that the only genuinely reliable way to protect personal data, biometric or otherwise, is not to have it in the first place. Anything else is a second-best solution and, judging by the quality of IT security at many Australian corporations, more likely fourth- or fifth-best.
But the truth that the best way to protect data is not collect it runs contrary to the prime directive of governments and corporations, that it’s always better to collect more data — to sell to third parties, to analyse for selling and advertising opportunities, to devise “better” policy, to address threats. In that environment, our personal data will never be safe — not while corporations and governments believe they can benefit from it.
An ethos that data shouldn’t be collected unless it’s needed and not retained unless absolutely essential is one that is totally foreign to the “collect-it-all” mentality of bureaucracies (whether in the security and intelligence establishment or not) and corporations. But until it’s embraced, cybersecurity is a utopian fantasy.
Would you trust home affairs — or any department — with any of your data? Let us know your thoughts by writing to letters@crikey.com.au. Please include your full name to be considered for publication. We reserve the right to edit for length and clarity.
Australia said no to the Australia Card back in the 1980’s (Hawke Govt) since then the government has introduced the MyGovID with open sharing of information across government agencies and no ability for individuals to control the use of their data. The legislation gives individuals limited access to information held on them but requires that individuals know what is being held and the access is restricted.
The reasons the Australia Card was rejected were many, but one of the key reasons is that Australians just don’t trust the Govt to use the information in a way that benefits the people. RoboDebt is just one example of why the Govt should not be trusted.The security laws allowing security agencies unfettered access to personal information without warrant is another.
The National Digital ID project and its associated framework concerns me.
Can we trust that the government will keep our information secure?
Can we trust that they will use the information legally?
Can we trust that only the minimum required data will be stored and shared?
Can we trust that the government will always have out best interests in mind?
Experiences to date suggest that the government has not built any trust or goodwill in this space.
It is our data – we have a right to understand what is stored, who is accessing it and how they are using it; We have a right to say no; or at least expect that there are legal checks and balances in place to prevent misuse of our data.
The best way to establish identity and to also transmit secure and encrypted data is with a public/private key system. You use your private key and the target person’s public key (collected from public repository) to encrypt the data. The receiver is the only person who can decrypt the data, using your public key available from the public repository.
The secrets remain in your possession and the public repository can be an organisation like Australia Post. This technology is not new and extremely well-established.
Why isn’t it used? Government security agencies can’t snoop on communications.
That sounds like a circular catch-22 solution, because you need the recipient’s identity (and they yours) to find the corresponding public keys in the public repository.
There’s a good reason why public key management in general and PGP keys in particular (as just one example) are still a problem. Key-signing festivals have been shown not to scale.
The systems that do manage public keys on users’ behalf (WeChat, Signal etc) tie identity back to your phone number, I believe. At least you can replace that, unlike a retina, but how do people who don’t have a phone, for whatever reason, operate? Or who’s phone is broken, or been stolen? Or their SIM transferred?
Well said, Keane.
What we actually need is for governments & businesses to reopen local easily accessible branches staffed by human beings who can view an original identity document of the customer & process the transaction.
Agree, this would help narrow the ever expanding digital divide while allowing us to opt out in good faith.
But there is zero profit in this approach so don’t expect to see it bought to the table by the big tech consultants who are no doubt lobbying their cold hearts out to protect us from their corporate besties.
I’d sooner hand my biometric data over to the next scam caller promising a crypto windfall.
Government assurance of their/OUR cyber security makes the claims of Nigerian Prince seem credible.
Till Australia adopts something similar and as robust as the EU’s GDPR inc. penalties, which the UK also replicates, there will be ongoing issues of personal data collection, storage, processing and third party access; leaving too much wriggle room for bad actors not taking responsibility.
Pezzullo and Dutton. Say no more.