Australians will see an ‘alpha’ version prototype of a new, national opt-in digital identity credential for government services as early as August this year; with a fuller version likely to emerge in 2017 according to the new Head of Identity at the Digital Transformation Office (DTO).
That’s the take from Rachel Dixon, the woman hand-picked to galvanise the agency’s efforts to develop a new user friendly, multi-agency key to provide secure and easy online access to government services and transactions for consumers.
The recent appointment of Ms Dixon is a critical step forward for the DTO as it attempts to dramatically improve the public’s experience of dealing with government services by shifting to a so-called ‘user centric’ development model – one that is based on catering to the real world needs of citizens instead of forcing them conform to myriad of disconnected portals, passwords, information requirements and standards.
Not everyone in the public service is happy with the DTO’s rapid and highly delivery focused schedule. But fewer, most of all agency customers, are satisfied with protracted waiting times and online services stuck a decade behind that of the mainstream digital economy.
Notably, the revelation of the DTO’s big digital identity push comes hot on the heels of the disclosure that the existing myGov online access facility – which has been copping plenty of flak from users over recent months — is now be the subject of a formal audit from the Australian National Audit Office (ANAO) to determine its effectiveness.
Few if any in government expect the latest ANAO probe into myGov’s performance to deliver any good news, especially after the monumental scale of dysfunction and chronic under-resourcing of welfare agency Centrelink’s call centres was laid bare in an excoriating audit report last year.
Although the DTO’s big ramp-up on digital identity and the ANAO probe into myGov are not formally linked, the timing of the two announcements is so fortuitously close that it’s again rammed home the urgent need to arrest what DTO chief Paul Shetler has previously labelled the unacceptably high “failure cost” of poor and disconnected public services.
Public Services, private products
The announcement of the rapid, ground-up development of a new national digital identity credential has far-reaching implications for the private sector too.
Apart from the clear necessity for the federal government to urgently improve access to its services and transactions online, the appointment of a digital identity project chief has already aroused strong interest within the private sector, where online and offline identity verification requirements remain a significant cost and a major handbrake on rolling out integrated transaction services that can span business lines.
Elements of the private sector – particularly banks, telecommunications carriers and other ‘identity regulated’ industries – have for at least a decade been hoping Canberra will get its act together on the digital identity front to replace costly paper and photographic based checks originally based on the 100 points identity verification scheme.
Crucially, the DTO has confirmed it is actively evaluating the potential for a private sector digital identity marketplace here in Australia, hiring consultancy Deloitte to research and map the size of the opportunity.
Getting business inside the tent to try and sell the idea won’t hurt either, especially given some banks have been more strident than others.
Under a so-called ‘federated’ digital identity model such as that used in the UK, private sector organisations that provided trusted online services can also feed into customer verification mix – often using authorised private brokers – a model that at face value offers major synergies and cost savings across both government and private services and transactions.
While the DTO’s Australian digital identity project is still in ‘discovery’ – that’s developer speak for researching and establishing core user and product requirements – Rachel Dixon is refreshingly frank about the challenges that Australia’s comparatively small population and complex system of government presents.
“The thing I would say is that the market here is different than some other countries,” Ms Dixon told Government News.
One of the key differences is that the federal government in Australia is already a market participant in identity verification services through the Document Verification Service (DVS) which is run out of the Attorney General’s Department and processed 21 million transactions last year.
Originally an internal government facility, in 2014 the DVS was expanded substantially to offer checking services to the private sector, a move that created a sought-after new source of revenue for the government, especially the Attorney General’s Department.
(In May 2014, Attorney General George Brandis cited a “study by the Secure Identity Alliance and Boston Consulting Group” that he said had estimated “that e-Government services, enabled by trusted digital identities, are set to yield an estimated $50 billion in annual global savings by 2020.”)
While Ms Dixon flatly refused to discuss DVS pricing, Government News has previously attended presentations where the charge of an ID check – which is electronic – was outlined to be around $1 per transaction.
That kind of turnover, especially at scale, has increasingly aroused the interest of private sector providers who are authorised to use the DVS to provide commercial identity verification services, a quagmire the DTO will soon have to navigate through.
Although Ms Dixon candidly admits that a lot of people are now using the DVS, she’s equally unequivocal that commercial providers don’t always get it right when it comes to estimating the size of a market or the level of competition in it.
“If you look at the experience in the UK, with that market, the original identity providers that went there with Verify, all overestimated the share of market they would get,” Ms Dixon said.
“That is a risk in setting up a private market; unless they get to a viable business case, the boards of those companies are going to be unhappy with those business models. That’s a risk because at a certain point one … of the providers that is less successful may want to leave.”
One of the problems for government is when a private provider does exit the market, what happens to its customers.
Dixon makes no bones about the risk of taxpayers potentially propping up a half-broken business.
“The issue then becomes do you expose the government to rent seeking at that point from a provider that wants to exit, but instead uses it to negotiate a better deal in order to stay in the market,” Ms Dixon says.
“And that has happened where there has been monopoly providers. That’s something that obviously we’d want to take into account in our [DTO’s] commercial arrangements. If we were going to establish that market, that would be a big consideration in our negotiations.”
Opting in: what a Digital Identity will – and won’t – do
It’s no secret that Australia two most recent attempts to launch a national, government issued identity credential or document ended in failure thanks to the complex and often toxic politics that surrounded them.
Both Bob Hawke’s ‘Australia Card’ (essentially a national photo ID card) and later Joe Hockey’s ‘Access Card’ (a multi-agency government services smartcard also with a photo) died swiftly amid fears the instruments could give government new and invasive powers to keep tabs on citizens.
Even the far less contested rollout of e-health has taken more than a decade thanks to the fractious politics of federation, privacy and various stakeholder groups.
Although the debate around privacy in Australia has arguably changed (partly thanks to people increasingly putting more and more in the public domain through social media) two major problems that have endured are frustration with access to government services and stubborn rates of fraud and identity theft, also largely enabled by the internet.
According to the DTO, a force fit is off the cards and foisting digital identity onto consumers is something Ms Dixon clearly doesn’t believe in.
Rather she wants consumers to first buy-in to the functionality and convenience that any new credential can deliver, insisting it has to be designed to meet the public’s actual needs rather than the government’s.
“If the history of successful systems tells us anything, it’s that just mandating something from on high – especially in Australia – that the government mandating a digital identity is not necessarily the path to success,” Ms Dixon says.
“We have to give people a reason to want to have a credential to interact with government. In order for government to get the economic benefit of people doing things online, that comes back to consumers … what is good for people who use the system that are not in government.”
That, Ms Dixon says, is why the DTO’s primary concern in terms of its research requires an “unpacking” of “where the problem points are in authentication and verification for consumers right now.”
There is also a need to start defining how what is commonly called ‘identity’ works in enabling real-life transactions.
“If you try and talk to consumers about identity it’s a difficult discussion because the question is ‘what is identity for?’ What is it used for and what are they exposed to?” Ms Dixon says, making a careful distinction.
“Identity is better thought of as the ability to have trust online. That’s the key piece. The ability for the government to trust that you are who you say you are. And for you to trust that the government will deal with you in a fair and protective way … that they won’t spread your data around the universe or open you up to fraud.”
A big part of the implicit bargain governments have to negotiate around trust, identity and online transactions is just getting the balance right in terms of what data needs to be provided to gain a credential for a service – or the number of hoops a customer has to jump through – versus the relative value of that service to a customer.
Ms Dixon observes that while government services need a certain level of technical assurance in terms of you being who you say you are, the potential for friction starts in the trade-off between assurance and convenience.
“Where you fall down is if the amount of data, or the amount of steps the government is asking people to go through – too much data or too many steps of verification – relative to what’s at stake in the transaction,” Ms Dixon says.
“Different transactions need different levels of assurance,” she notes. “Do you need to know absolutely what the person looks like for this particular transaction?”
Asked outright whether a photo will be part of a new digital identity credential, her response is forthright.
“I think that’s the wrong question,” Ms Dixon says. “The first question is ‘what is the problem we are trying to solve’? The second one is ‘what are the tools we will use to do this?’”
“There is a difference between the verification or the authentication of an identity versus the authentication of a transaction.”
Are Biometrics in the Digital Identity Mix?
Of all the identity security and verification technologies that have climbed onto the digital bandwagon, biometrics was one of the fastest.
For decades police and security services around the world have had access to electronic fingerprint matching, followed more recently by biometric photos and algorithms being embedded into passports and licenses.
Despite being more and more pervasive, biometric technologies still attract their fair share of controversy ranging from the ability of surveillance cameras to spot and track faces in a crowd or mall to insurance companies using the tone of a person’s voice to detect if they are likely to be lying.
What government agencies, as well as businesses, are now confronting is at what point consumers might opt to use biometrics as part of a digital identity mix or authentication ecosystem, especially if it’s easier than entering a password.
Again, Ms Dixon stresses the distinction between authenticating a transaction and actually identifying a person.
Apple’s iPhone doesn’t really care if it’s actually you putting your fingerprint on its scanner.
“If you look at a thumbprint on an iPhone, that doesn’t have anything to do with your identity, Ms Dixon says. “That’s just a signal to a key that unlocks your phone. You don’t use the thumbprint for assurance, you use it for authentication.”
The argument really comes down to what consumers are comfortable with and if it gets them into what they need more easily and reliably, especially if passwords become so onerous they risk locking you out of a service after multiple failed efforts (think iPhone and FBI).
Dixon is clearly cautious about the implications of biometrics, but again defers to what consumers actually prefer to use as the real test.
Certain biometrics could be convenient for people in authenticating access to something; that’s different than the establishment of an identity in the first place, which is the assurance.
“The nice thing about thumbprints is that they get you over the hurdle of passwords,” Ms Dixon says.
“You use the technology that suits the use case. The first thing to do is to map out what people want. Not the government mandating [what people must use]. Base it on some actual research with actual use cases.”
One thing’s for sure.
If the Digital Transformation Office’s research actually manages to accurately map consumer needs and sentiment, and then produces a working digital identity prototype that the public embraces in less than a year, banks will be queuing up to buy it.
That may not be a bad thing.