Oppose Australia’s Digital Identity System


UPDATE As of 23 Oct 2021:

We have checked the Digital Identity System website and it has been bombarded with lots of submissions.

If the submission form does NOT work: Send your response via email digitalidentity@dta.gov.au

You can simply type this:

I hereby disapprove of the lack of transparency in the proposed Trusted Identity legislation Bill currently in Phase 3. I believe that private sectors should not have access to our identity digitally as this could lead to discrimination against individuals and groups

OR for a more detailed 1000 word response download the word document, copy & paste


Everyone needs to oppose the proposed new Digital Identification legislation

  • Do this right now. This is the DIGITAL ID for Australia!
  • This is the Digital Surveillance Framework that will be put in place for all Australians

The deadline is 5pm on 27 October 2021. Then the Federal Government will push the Bill to Parliament, then it will get through the Houses very quickly. Unless Australians oppose this!

Digital Identity System GovPass is required in law before banks, various regulated private sector entities and state and territory governments can sign up.

Older Instructions

(As of 22 Oct 2021 these instructions may no longer be relevant)

  1. You need to download the “Digital-Identity-Legislation-Response” Word Document below that includes your response to Oppose.
  2. Then you upload it again to the Digital Identity website
  3. It is recommended you use a PC, laptop, computer to do this

https://www.digitalidentity.gov.au/have-your-say/phase-3

Press Play for Video Instructions

Press Play for Instructions


More Info

If you thought COVID was bad. Then just wait for this!

(Yes in case you have not noticed COVID has always ended with ID)

Learn more about the global Certification Mark

Find out who ultimately are the Alliance Founding Partners of ID2020


1000 word Submission in opposition to the Introduction of the Trusted Digital identity Bill 2021 (copy & paste)

I strongly oppose the introduction of a comprehensive digital identity system.  It is my view that Option 1: status quo identified in the Regulation Impact Statement (RIS) is the preferred approach.

I do not accept the premise that there is any necessity for providing a centralised platform for verification of identity of individuals in online transactions nor does any purported benefits from the adoption of such a system outweigh the considerable and serious risks of such a system (including increased risk of breach of privacy, unauthorised access to data), whilst failing to provide any access to financial redress for individuals harmed by such breaches.

My reasons for objecting to this legislation are as follows:

Centralisation increases the risks of data breach and unauthorised use of information

  • The current decentralisation of identity systems is helpful in minimising online fraud.  By centralising identification verification and personal information, this will make it easier for hackers and malware to access a broader spectrum of personal information.

  • The nature of the system, in collating and using information across a variety of participants, would inherently increase the risk of data breach and loss of privacy for users in the system.  Any errors would increase the risk of individual users being ‘locked out’ of services or the deactivation of an individual’s access.

  • There is reference to situations where verifying the identity of an individual will require an individual’s express consent to disclosure by an accredited entity (s. 73 & 74).  But it is unclear in what other circumstances the information could be accessed and what mechanisms will be in place to prevent unauthorised access to information collected by one accredited or participating entity by other entities, including government bodies.

    Although the Bill prohibits disclosure for marketing purposes, experience from social media shows that data breaches do occur; eg. Facebook was found to be inappropriately sharing user personal information with Cambridge Analytica: https://www.dw.com/en/facebook-faces-5-billion-fine-over-privacy-violations/a-49575702  and 533m users were recently affected by data breaches.  

Greater compliance costs for businesses

  • In order to achieve accreditation under the Trusted Digital Identity system, entities are required to undertake functional fraud control requirements and may be charged under the charging framework.  This will lead to greater compliance costs for business, with the added threat of penalties for any non-compliance.

    The RIS concedes considers these costs to be minimal relative to the benefits of the Bill, and this could be the case for larger businesses.  But at a time when SMEs have been financially crippled by lockdown measures, further regulation and cost could impact on their viability.

No increased redress for individuals who have suffered a breach

  • Currently, businesses are responsible for protecting consumer and individual privacy and there is Commonwealth legislation holding businesses accountable for cyber security breaches.

  • The Oversight Authority is granted powers to issue infringement notices and to seek undertakings, injunctions and civil penalties for failure to comply with the Bill.  Fines are payable to the government, with no financial redress provided to individuals actually harmed by the breach (due to breach of privacy / data protection, inability to access the system, etc).

Back-door route to consistently rejected national identity card system

  • Australians have consistently rejected a national identity card (https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/Publications_Archive/archive/identitycards). 

    The RIS admits that the “government entities [are] leading the development of a national federated Digital Identity System” (page 4) as a ‘whole-of-economy solution’ aiming to ‘integrate data and technologies’.  Mutual recognition work is also underway, suggesting that the system will be used and accessed also by foreign entities. 

    The RIS references the wariness of the majority of Australians to providing digital and, in particular biometric, information to a business, organisation or government agency and their concerns over personal information being shared (page 28).  This could be attributed to a distrust of third parties’ using an individual’s personal data.

    I do not accept that online security provides justification for the introduction of such a system, nor do ‘efficiency opportunities’ provide sufficient benefit for individuals and businesses subject to increasing risk of loss of privacy, unauthorised use of information, red tape and regulation as well as higher operational costs which are inevitably passed on to consumers.

  • This digital identity system will allow for the introduction of full governmental control of access by individuals to government and business services. Whilst the RIS indicates that the Australians can continue to access government and other services at shopfronts or over the phone, it is by no means certain that such access will be continued in future, as evident during lockdowns.

Insufficient and unclear protections regarding the use of data

  • The protections on the use of the digital and, in particular, biometric information obtained under this system are insufficient and unclear.  Whilst the Bill prohibits disclosure of biometric information to law enforcement (s. 76), “digital identity information” can be disclosed where the enforcement body reasonably believes that a person has committed an offence or has breached a law (s. 81). How are these inconsistent provisions are intended to operate in practice?  They appear to provide a broad ability for enforcement bodies to demand disclosure from a centralised repository of personal information and biometric data.

  • The RIS indicates relying parties may not compel individuals to use the system to access services and, with some exceptions, must continue to provide alternative options for identity verification (page 66).  In what circumstances would an entity be entitled to such an exemption?

  • What happens to a person’s data when an individual requests the deactivation of their digital identity and what steps will be taken to ensure all relevant data has been permanently removed.

Concerns over the Independence of the Oversight Authority The Oversight Authority is appointed by the Minister, supported by Australian Public Service staff and by an advisory board and committees appointed by the Minister.  How can the Oversight Authority, therefore, be independent of government and instil greater confidence than the operation of the free market?  How will decisions made by the Oversight Authority will be reported?