The Australian government is considering using myGov or its myGovID system to centralize digital identity authentication following the Optus data breach, but critics warn that a single system could have its own weaknesses. of cybersecurity.
Former Telstra chief executive David Thodey was recruited to audit myGov when the Albanian government came to power, and his review would now look at whether myGov could be used to prevent people from having to submit government documents multiple times. identity, a spokesman for the minister of government services, Shortened invoicesaid.
The personal data of nearly 10 million customers was exposed in the Optus breach, including millions of passport, driver’s license and health insurance numbers, raising questions as to why why companies need to collect and store so much personal information.
The federal government will now consider whether to develop a unique digital ID service that businesses could use instead.
“The mandate of the audit is to examine how myGov can provide transparent services which will frequently involve private enterprise service providers,” Shorten’s spokesperson said. “This would save citizens from having to provide sensitive data multiple times to multiple entities.”
There are over 25 million active myGov accounts and the spokesperson said it would be “the natural home for expanded citizen service”.
In addition, the Minister of Finance, Katy Gallagher, has would have called meetings consider resurrecting digital ID legislation planned by the former government.
The Morrison government released a bill in October last year to expand the use of the myGovID system. It is currently used to authenticate identity through an app when people obtain a tax file number, transact with Centrelink or access myGov.
The government never presented the bill to parliament, but now shadow government services minister Paul Fletcher has called on the Albanian government to resuscitate the project.
“The Albanian government’s failure to push through these important reforms has left a serious hole in our ability to protect Australians’ data and better improve digital services,” he said.
But critics of the proposal warn that the digital identity framework could have its own cybersecurity weaknesses and is not suitable for use as a secure form of identity authentication.
Cybersecurity researcher Professor Vanessa Teague raised concerns early in the system’s development that storing ID document numbers would mean those documents would still be at risk of exposure in the event of a cyberattack or of data breach. She said the system uses an identity exchange that mediates all logins, so there’s a single point of failure where a server can track every time someone logs in and every service they connect to.
“There’s no reason for the authority that issued your digital ID to get a constant update every time you log in,” she said.
Stephen Wilson, a digital identity and privacy consultant, said the digital ID system was meant to be a single sign-on for government services, not a replacement for verifying someone’s identity.
“They aimed to give citizens a single key to access all federal government accounts, starting with tax, health insurance and Centrelink. The key proves that you are a known citizen of the ATO,” he said.
“But it wasn’t designed to verify anything else about you — especially things outside of the federal sphere.”
If ID numbers were compromised, everyone should be given a new one, he said.
Wilson argued that a better method would be to put the ID in digital wallets on smartphones. This would protect personal information stored in the card and simply authenticate identification with the service you are using.
“IDs should not be touched by human hands. Credit cards, health insurance, driver’s license, personal health IDs – they all need to be encapsulated in a personally checked chip and presented with a punch, so the recipient knows that each number is from the real person and not from an impostor.
A complication in developing a digital ID is that responsibility for various aspects of the system rests with different departments and agencies.
MyGov is owned by Services Australia, while myGovID is the responsibility of the Australian Taxation Office. The Digital Transformation Agency is responsible for leading the proposed expansion of the digital ID system.
By 2024, the federal government will have spent $624 million to expand the system since 2016, according to data released by the Parliamentary Library.
An ATO spokesperson said more than 6.5 million verified myGovID identities had been created as of October 6 and there were around 300,000 authentications per day.
#Government #plans #centralize #digital #identity #verification #myGov #Optus #breach