This year has seen a flurry of activity on digital ID in Australia, both by the Government and the private sector. Digital ID, in this context, means the ability for organisations transacting online to have confidence that they know who they are dealing with, and where necessary to obtain trusted information about the other party that may be needed for regulatory or risk reasons. Examples include “know your customer” anti-money laundering requirements for financial institutions and verifying the age of customers for online alcohol purchases.
Current regulations oblige retailers to collect and store large amounts of sensitive information on their customers, which they are then required to manage and secure. High profile data breaches, such as at Optus in September 2022 showed the costs of what happens when such sensitive customer information is stolen by cyber attackers – both the direct costs of compensation and the indirect damage to brand value and trust. Many observers questioned why Optus collected and stored this data, not fully appreciating it had a regulatory obligation to check the identity of customers in case a phone service is used in the commission of a crime, and to be able to prove it had done so. This meant collecting and storing details of identification documents such as driving licences and passports that customers provided during the sign-up process.
Digital ID provides another option – using a trusted digital identity service provider that can attest to a customer’s identity without handing over identity document data to the retailer, where the latter is often referred to as the relying party in such a digital transaction. The concept can be extended to obtain other trusted attributes about the customer where required, for example driving licence entitlements, working with vulnerable people check status etc. Importantly for customer privacy and confidence, the customer has full control and visibility over what specific items of their personal information are handed over, and to whom. This also has applications for in-person transactions – for example, anyone fortunate enough to be asked to prove their age before entering a nightclub, a licensed hotel or making a purchase from a liquor store shouldn’t need to show full ID revealing their date of birth and home address; a digital identity app on their phone could just show an “over 18” confirmation as that is all the security staff on the door need to know – for the customer what they are providing is on a “need to know” basis.
As well as the potential benefits to retailers in meeting regulatory obligations such as only selling to customers over 18, and meeting data security compliance requirements by potentially removing the need to store sensitive information, there is also the opportunity to improve sales by reducing friction when a new customer comes to your website. Australian research1 suggested that, from a customer point of view, long registration forms or cumbersome ‘forgot my password’ processes are so frustrating that in total 70% of customers end up abandoning their digital shopping cart. A digital identity system could enable the equivalent of Amazon’s US-based “Prove Pre-Fill” service2 to pre fill and authenticate the information a new customer is entering.
Of course, nothing comes for free – such a system places responsibility on the identity service providers and attribute service providers to ensure the provenance of the data they are storing of consumers, to secure that data accordingly, and ensure its integrity when transmitted to relying parties. They are bound to be very attractive targets for cyber attackers, but are likely to be major
service providers who are experts in owning and managing cyber risks. The investments in technology will only be worthwhile if there is widespread take up of such systems, which in turn will depend on consumers and relying parties having trust in these service providers. The “Australia Card Fail” many years back showed that people are reluctant to trust centralised Government systems, and since then people have become more concerned about what commercial organisations might do with their personal data.
Solutions to these challenges have been talked about for many years, and government digital identity service providers such as MyGovID already exist – although today these can only be used for limited government services such as submitting personal tax returns. The change of Government in May 2022 stalled progress on legislation to enable further expansion of such systems, but recently the Department of Finance has taken over responsibility and published new proposals in September 2023. These proposals specify rules governing security, privacy and fraud protection that will be mandatory for anyone connecting to Government digital ID systems. However, a phased approach is envisaged which means it could be several years before such a system is available for everyday use by retailers in the sort of use cases discussed above.
Although the Australian Government paused for a while before the latest flurry of activity, the rest of the world has not stopped and waited. We are now seeing private sector digital ID systems being launched, such as ideas floated by Apple to store identity credentials in digital wallets on their devices (albeit in the US, at least initially), and the recent launch of ConnectID here in Australia, a digital identity system using the big banks for customer verification services. The future is likely to involve a mixture of government and private identity systems.
These potentially overlapping and competing systems present a dilemma for customers and retailers in understanding who they can trust. The recent consultation documents from the Department of Finance offer a potential solution in the form of voluntary “accreditation rules” that any digital ID system, or even individual service providers could adopt. To become accredited will require various initial compliance assessments as well as signing up to legally enforceable ongoing commitments such as restrictions on tracking and profiling of customers, as well as security standards and processes. Accredited parties will be able to use “trustmarks” to demonstrate their accreditation status. There is no accreditation concept for relying parties such as retailers, although digital identity systems could impose conditions for using to their services, and they will still need to comply with other regulations such as the Privacy Act when handling data such as customer profiles and loyalty information.
To summarise, digital ID provides an opportunity for retailers to reduce some of their biggest data breach risks by minimising the collection of sensitive personal data of their consumers that they have no ongoing need to store. However, it is a rapidly changing field, and it will be important to keep abreast of developments. Retailers will need to understand the right time to start adopting such technology, and to do so in a trusted way that doesn’t inadvertently create other risks instead. Also, be aware that digital ID is not a silver bullet to solve all cyber security problems. In particular, basic cyber hygiene of your own IT systems will still be required, and will probably be a prerequisite for any relying party that wants to connect to any reputable digital ID system. Fortunately, there’s plenty of advice out there on getting the basics right, and that’s something you can start doing now.
Rajiv Shah is Managing Director of MDR Security, a cyber, cloud and data business which provides technology and business consulting, and strategy and policy research; he also supports and advises innovative businesses such as Net Consulting that can help all sizes of organisations to reduce their cyber risk.