The future of digital identity
Australia is currently working towards a single digital identity solution that can be used for a range of online transactions within all levels of government.
In December 2014, the Financial System Inquiry Report was released. Recommendation 15 was: Develop a national strategy for a federated-style model of trusted digital identities. The section on digital identity provided a detailed recommendation and rationale, while also giving an overview of the systems used overseas.
Why do we need digital identity?
The growth of digital technologies has meant that most people choose to perform many transactions online. People want (expect!) to be able to quickly and easily interact with private and government organisations online.
The concept of digital identity is simple: it allows online systems to verify your identity in some way before you complete a transaction. Online banking is a good example, with the most basic form of identity verification being a username and password. While different financial institutions may require different levels of identity verification (e.g. the additional security of an SMS-delivered code for some transactions), the end result is the same: the information you provide is ‘proof’ of your identity.
Digital identity for government
For government there are many advantages of using digital identity. For a start, it provides citizens with the quick and easy access they expect. Online services that verify a user’s identity also allow the government to shift many services from more time-consuming face-to-face operations to automated services.
Australia already has existing government websites that use digital identity verification, however these websites and services often require different logins, passwords, and identity verification processes.
How does the rest of the world approach digital identity?
As the saying goes, don’t re-invent the wheel. Governments around the world have been working on digital identity for many years and many governments are much further along in the process than Australia. These countries have trialled and/or adopted different types of digital identity solutions that we can, and should, learn from.
One of the most publicised systems is from Estonia. The Estonian system is an electronic ID card that was developed in 2002 and now has more than 1.2 million active cards in operation (according to https://e-estonia.com/component/electronic-id-card/). The ID cards include a chip that uses 2048-bit public key encryption. The one card is used across a very broad range of services — from voting (a world first) and other government services, to logging into bank accounts online. This is an example of a syndicated model.
In the UK, the government uses GOV.UK’s Verify, which is officially in the public Beta stage. Verify uses eight ‘certified’ companies (Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon) to set up citizens’ digital identities and then to verify users each time that person logs into GOV.UK. Barclays describes the set up as a three-step process:
- Set up an account profile (which includes an email address and UK phone number).
- Proof of identity (need UK passport and UK photo driving license for this step).
- Identity verification (this stage includes a variety of questions to verify identity, including information from recent financial statements).
GOV.UK states that Verify takes about ten minutes to set up (once-off) and is then less than a two-minute process to login (and have your identity verified) for subsequent uses of GOV.UK.
What has Australia already done?
Australia already uses a few different digital identity solutions to provide online services to citizens and businesses. In the 2007 report on the Financial System Inquiry, 10 systems were identified as ‘existing elements for a federated-style model’. Examples of these elements include myGov (which brings together citizens’ Medicare, e-health records, Centrelink and the ATO information and services) and AUSkey (which verifies a business’s identity for online transactions at all levels of government).
The problem? These systems aren’t unified — beyond the services that are already joined up like Medicare and the ATO through myGov.
Where’s Australia going?
The Financial System Inquiry looked at both a federated-style model (like the UK one) and a syndicated model (like Estonia’s) and found that: “A federated-style model suits the Australian context as Australia has not had a history of government-issued identity cards and has a strong privacy ethos compared to other jurisdictions.”
While the Report discussed advantages of both the federated and syndicated models, its recommendation was for the federated approach. Having said that, the Digital Transformation Office (DTO) in its 8 March blog Digital Identity – early days in the Discovery process mentioned that they’re currently assessing the pros and cons of the federated model. It’s unclear at this stage whether that means they’re also investigating a syndicated model.
DTO and digital identity
The DTO is now responsible for digital identity in Australia. The DTO says its work will: “involve establishing a common strategic approach to identity across government and preventing agencies from investing in bespoke solutions.” (from https://www.dto.gov.au/budget/trusted-digital-identity-framework/) It’s currently in the process of creating a digital identity Alpha. Discovery started in January this year and an Alpha is expected in August. In her 8 March blog, Rachel Dixon said: “Currently users have to identify themselves again and again when they interact with different government departments, and we want to find a solution that fixes this problem.” The blog discusses the current discovery phase (analysing different use cases) and the two stages of building a digital identity Alpha:
- Building a product to verify identity.
- A credential or login.
Sitting alongside digital identity Alpha is the Trusted Digital Identity Framework (TDIF). Dixon said: “We will work with a wide range of public and private sector stakeholders to develop a broader framework for trusted digital identities better enabling the DTO and other agencies and governments to work together.” The DTO will release a prototype of the TDIF in August, to coincide with the digital identity Alpha.
Salsa Digital’s take
Creating a unified digital identity is key to both the digitisation of government services and service unification (two important elements Tom Burton covered in his keynote address at DrupalGov 2016 — see our blog on Tom’s keynote).
While the government focuses on getting more services online, user identities need to be verified to access many of these services. And in terms of service unification, one digital identity that works across different departments and all levels of government is essential to a truly unified solution.
Salsa’s looking forward to finding out more about digital identity in Australia and to the August launch.