Identity verification in Australia needs an overhaul to make better use of biometrics, according to an independent review the government has kept secret for three years.
The formerly secret review also recommends the government make its facial verification system available to the private sector.
Commissioned in 2018, the review was led by former Attorney-General's Department secretary Roger Wilkins and IDCARE managing director David Lacey. It was handed to the government in 2019, but never released.
iTnews has now obtained the review under freedom of information laws, and can now reveal the findings and 26 recommendations it contains, which remain under consideration by the Department of Home Affairs.
The full PDF of the review can be viewed here.
According to a spokesperson from the department, the review is one of many sources informing its “work on identity protection and resilience, and the lawful, ethical and appropriate use of biometrics”.
'System of identity' not fit for online
The 92-page review found that Australia’s “system of identity” currently has a “large number of weaknesses and deficiencies” due in part to its “ad hoc” origins, and is not fit for a future of online transactions.
Even in comparison to similar countries, the ID system here is “more costly, inconvenient and less secure”, according to KPMG modelling commissioned by Home Affairs as part of the review.
“The model indicates that the current Australian system has a lower level of integrity and utility, and a higher level of friction than most other countries such as Israel and New Zealand,” an appendix to the review reads.
“The lower integrity level within the Australian system is a reflection of the limited use of biometrics to proof, verify and authenticate identity.
“The lower utility and higher friction levels reflect the large number of credentials in Australia used for identity purposes, and the widespread acceptance of the 100-point check which requires individuals to produce multiple credentials to prove identity.”
Australia’s current ID system was also found to be “uneconomical with identity data”, with both government and the private sector collecting and retainint too much data.
Greater use of face verification
Instead, the review recommends that Australia adopt a “skinny” concept of identity, whereby only a small number of attributes such as a name and date of birth, as well as a biometric identifier, are considered “core identity”.
All other attributes or information “should be treated as additional information about a person” to maximise “privacy, interoperability and portability”, the review’s authors said.
But this would rely on government agencies and businesses relying almost solely on the federal government’s facial verification system (FVS), as well as the document verification system (DVS), for identity verification.
“Facial biometrics are central to reform of the system of identity. Facial biometrics are intimately tied up with our idea of 'skinny identity'”, the report said.
The FVS is currently available to select government agencies to conduct one-to-one photo comparisons for identity verification, but – unlike the DVS – it remains inaccessible by the private sector.
Local governments and businesses are slated to gain access to the FVS following passage of the long-delayed identity matching service bill, rejected by the Parliamentary Joint Committee on Intelligence and Security in 2019 over privacy concerns.
iTnews understands that proposed amendments to the bill, which will also see the creation of a national drivers licence facial recognition service, were referred back to the PJCIS in July 2020.
The review recommends the government “complete the FVS and make it available to the private sector” at the “earliest opportunity”, but that its use should be “contingent upon each organisation meeting standards set out in the identity code”.
Any use of facial biometrics and FVS “should require a person’s choice or consent, or be authorised by law, the review said, adding that there would need to be a “genuine alternative” for those that require it.
“This system of reliance effectively limits the amount of data collected and the number of organisations that have the data; in stark contrast to the current system in Australia,” the review said.
“The use of a biometrics also provides a much greater level of security and certainly about a person’s identity that the current reliance on a collection of documents. It also makes it easier and more convenient to check an identity at any point in the process.”
Core credentials should be free
For this approach to work, the review recommends that every Australian be able to access a “core credential” that contains a biometric, such as a passport, drivers’ licence, ImmiCard or proof of identity card.
The credentials would be free to the public, with the review suggesting the ID system be funded “through the application of fee-for-use of the FVS and DVS, rather than charging for credentials”.
But this also creates a problem: the biometrics used in identity documents are of “varying quality”, depending on how they were collected and the different International Organisation for Standardisation (ISO) and International Electronic Commission (IEC) standards used.
The review therefore recommends that a “new high standard of ‘proofing’ identity for the purpose of issuing a core credentials”, with different levels of identity – gold, silver and bronze – be set out in a new Code of Identity.
Credentials would also be “bound” to an individual’s birth certificate, visa or citizenship, so that it is “not possible for anyone else to pretend to be that person by using the birth certificate”.
For this, the review has recommended that state and territory Birth, Death and Marriage registries “cooperate to develop a national data exchange so that for every citizen there is a complete comprehensive and accessible record of life events”.
Office for Identity Protection and Management
The report also recommends the government create an Office for Identity Protection and Management (OIPM) in Home Affairs to lead national identity policy, including protection and recovery following compromise.
The OIPM would have responsibility for developing and coordinating strategies for the “restoration of identity” and “identity resolution” – “key gaps in the identity system in Australia”, according to the review.
It would be expected to work with identity and cyber support service IDCARE and other organisations to “support their delivery of frontline response efforts and [be] the point of enrolment for consumers to initiate notification of the compromised identities”.
At present, the system is “almost entirely dependent on each individual victim” contacting multiple government agencies and businesses, a process that is estimated to take around 23 hours to complete.
In the absence of clear national leadership, the states and territories are increasingly going it alone in this space, with the NSW government last year standing up an identity recovery unit called IDSupport NSW to streamline the process of replacing compromised credentials.
Issuers of “core credentials” would be responsible for “managing the consequences of the loss, ‘theft’ or the compromise of credentials”, including the restoration and reissuing of the identity credential.
The review also recommends that the FVS and DVS be “extended to allow notification to a verifying organisation that an individual’s credential is at risk of misuse, where there are reasonable grounds to believe a credential has been compromised”.