Australia heads to a uniform governance regime for all data

I’ve been speaking and writing a lot recently about the newly legislated Australian Government Digital ID System (AGDIS).

Digital ID caught between the old and the new

In some ways, AGDIS embodies fresh thinking, such as the pivot away from abstract “digital identity” to the more concrete Digital ID.

On the other hand, AGDIS tries to leverage the federal government’s long-standing “Trusted Digital Identity Framework” (TDIF) which was conceived a decade ago for the purposes of single sign-on to tax and human services. TDIF predates modern digital wallets and verifiable credentials. It is a creature of an earlier era.

Unsurprisingly, there are mixed messages around AGDIS.

Will it furnish Australians with “reusable” proof of identity? Will it come with new ID numbers and a central registry? Or will it simply better protect our many existing IDs in digital form? And what is an “ID” anyway?

Minister Katy Gallagher has assured us that there is no new national ID, and indeed, there is nothing I can see in the Digital ID Bill about new numbers or a central registry.

The last thing we need is a novel ID

And according to Lockstep’s research, there is no fundamental need for anything new of that type. You see, proof of identity works reasonably well today using familiar IDs like driver licences, passports, birth certificates and social security cards.

Or I should say, proof of identity works well in real life.

But identification breaks down in cyberspace when these IDs are presented as plaintext to online processes. Web forms and web servers can’t tell if a plaintext ID has been presented by its rightful holder or by a fraudster who’s bought the data on the black market.

Almost all identity fraud now occurs online; very little fraud is attempted in person using counterfeit ID documents. So that tells us that the logic of using government IDs for identification remains sound in the digital age — if only we made the presentation in the digital realm as reliable as it is in the physical world.

Pivot away from plaintext presentation — again!

The real problem to solve is not “identity” but identification, and specifically, making the government IDs we use day-to-day more reliable online.

Verifiable credentials technology is the solution. We should ‘seal’ existing IDs into digital wallets and then present them digitally, from device-to-server, instead of manually typing ID details into forms.

And the really good news is there’s a precedent for this transition. We’ve done it before! The world shifted from plaintext to digital IDs for handling credit card numbers — when chip cards replaced magnetic stripes.

Now we have smart phone wallets alongside chip cards, with exactly the same cryptographic security that protects cardholder details against theft and cloning.

Consumer acceptance today of digital wallets is high and growing; over one third of all card payments in Australia are now done via a digital wallet (Reference: Reserve Bank of Australia). So verifiable credentials are commonplace.

It’s all about data quality

What excites me the most is that AGDIS shows a way forward for all data.

The government in its wisdom is making the ACCC the Digital ID regulator. The ACCC currently governs the Consumer Data Right (CDR), Australia regulatory regime for open banking and data sharing. Now, the CDR is not perfect, but it features a strong regulatory model, it sits in the right place with the ACCC, and it is extensible to the protection of Digital IDs.

The CDR is essentially a governance systems for data flows, tracing where certain data has come from, where it’s going, what is it being used for, and above all, carrying consent for the data to be used in defined contexts.

I see CDR and Digital ID boiling down to data and metadata, in the broadest sense of that word.

That is, what are the properties of a data record that really matter when deciding whether to use it for some application? Where did the record come from? What is its intended purpose? If it’s a personal data record, then what consent was granted for its usage?

The same sort of metadata is routinely baked into verifiable credentials.

Remember that a verifiable credential is a data record holding one or more assertions about a person or entity (i.e. the credential subject) together with details of the credential issuer and metadata such as when, where, how and why the credential was issued.

So, with the ACCC governing data sharing and verifiable IDs, we could see a uniform new approach to managing data quality. Remember the pattern. In any critical digital transaction, there will be something precise you need to know about the counterparty. So ask yourself:

  1. What do you need to know about the party you’re transacting with?
  2. Where will your transaction system get that data when you need it?
  3. And how will the system check know that it’s fit for purpose?

If we can govern that pattern consistently across the digital economy, then we will be able to solve a set of problems that are much bigger and much more important than identity. We can take care of the quality of all data.

Governing all data quality

The same data quality questions recur everywhere we look.

The wicked problems with deep fakes arise because we consumers can’t tell where the data is coming from. But a governance regime is within sight to provide quality signals (i.e. metadata) about any important data.

Consider an online image or article, or any piece of content online: what if you could be sure where the digital data has really come from, that it’s intact and genuine? We have the technology to authenticate authors and publishers and AI algorithms, anchored in verifiable credentials with certified hardware roots of trust.

If this looks complicated, then let me reiterate that we have already pivoted to digital presentation of payment card data. Banks routinely provision cardholder data in the form of verifiable credentials, a growing proportion of consumers are comfortable with digital wallets, and merchants can readily accept payments from digital devices, with radically reduced incidence of card fraud.

Australians could soon be presenting any Digital ID with the click of a button from a mobile digital wallet, with exactly the same privacy, security and ease of use as a card payment.

Looking to the future of data sharing, with AGDIS and CDR under the same regulatory umbrella, I see us heading towards a united governance regime for all important data. We can be sure where any data has come from, what it is supposed to be used for, and that it’s always been in the right hands.