Australia's Digital Identity aka a Digital Passport that Data Matches for More Robodebts

I've lodged this submission today to the inquiry into the Digital Identity.  I highly recommend  people lodge an objection to this on privacy grounds.  You can submit a quick less than 1000 words. Since composing this I have found a link that has more than just the Guide on, but there was enough in the Guide to make my mind up.  If anyone needs any help in how to do a submission I'm happy to help https://www.digitalidentity.gov.au/have-your-say/phase-3

23 October 2021

 

 

Inquiry into the need for a Digital Identity.

 

 

 

Thank you for the opportunity to submit to this inquiry.

I will firstly note my disappointment that right off the back Govt has chosen to try & stifle individuals’ voices yet again.  I will remind that individuals include sole traders & many small business operatives.  I note I had to go hunting for the proposed Bill & came up empty. So, I have had to wing it using the 46-page Guide to the Bill.   By limiting “Individuals” in submission to only 1OOO words as Organisations get to upload 20MB, in my opinion Govt has failed to show it has given fair consultation on what will majority affect individuals.  It seems with respect the Minister needs to be reminded that if he is going to Represent the people (individuals) he should actually enable equal & fair consultation for them to be able to say something.  I’m going to assume that the Govt website is not operating properly & to that end note I will be uploading it public also to my personal blog page to ensure the information is not lost.

I have an old TAFE Programming Certificate, Certificate III in Business Administration & hold a 2017 Diploma of Accounting which included establishing a secure Accounting Information System in the business place mindful of privacy.  I have worked for many years as a bookkeeper in various types of business entities & sizes. 

Ergo I believe I have the experience both as an individual & in the business workplace to make a contribution.

Yours faithfully,

Tracey Hoolachan

 

 1.0 Kinds of Accreditation

1.1  If this was for the purpose promoted a safe custody area for personal documents in case of loss, there would be no need for access by 4 different entities & certainly no need for an identity exchange. It is fairly obvious that there would need to be some type of initial onsite verification of identity.  That could be done in unison with creation of the digital identity (DI).  A lesson on management is a self-help tutorial. That leaves only webpage management.  I cannot see a need for any other entities having access other than process auditing agencies. 

1.2  Exactly what participants is “identity exchange” facilitating?  This looks remarkably like giving the data match team a key to the front door.  After Robodebt I think Govt needs to lift its game on privacy.

2.0                   Approval process

2.1  The Oversight Authority is just another unnecessary layer if the DI is for the promoted purpose of back-up of lost identity papers.  If the instruction for a release is given by its owner after password access that document can be emailed to either the identity owner or their nominated receiver.  A covering letter within that email could verify it a digital password document.

2.2  It is the Minister that picks the candidates for the authority & its committees.  Both the current Govt & Opposition have abused that process for decades. Individuals’ protection agencies are now mostly all duds filled with a long line of ex political staffers & party stalwarts.  E.g., Govt’s latest appointment for the Australian Human Rights Commission (AHRC) Liberal rusted on Lorraine Finlay (don’t hesitate to ask for more examples even within the same AHRC).  This protection authority will be stacked like all the others. Unless blind recruitment occurs in selection of senior personnel & whistle blower protections are in place it will be same ole same ole.

3.0                   Accreditation Conditions

3.1  The Oversight Authority having control over who has access & how much access to a DI owners personal documents is an overstep. This has all the feel of a data mining APP & not a tool to genuinely help people.

3.2  The Oversight Authority having control over which business can access the DI also gives a trading advantage to large entity businesses. Large entities normally have the staff resources & quality assured status to quickly adapt to & accommodate new programmes.

4.0                   Accredited entity obligations

4.1  There will be data breaches - Large companies & Govts with expensive online security have been hacked & this Agency will be hacked too.  This is a link to data breaches across 2018-2021.  It includes many State Govt entities & even Microsoft. https://www.webberinsurance.com.au/data-breaches-list. This DI agency is putting all the data, identity thieves want, in one big very tempting candy store. It is assisting them to steal Australians’ data faster.  Remember how Census went down & that was only up open accessfor a short space of time.

4.2  There will be privacy breaches. In one sweep at DHS Centrelink more than 100 people were caught breaching privacy.  The key to online privacy within an agency is reduce access to the stored data. The fewer users with password access to a DI owner’s data the better.  The idea that an Oversight Authority can deem who is trustworthy enough to get access to people’s private information when the hands-on staff are changing every week is ridiculous. The idea that businesses will have the same level of control as Govt even more ludicrous. That is before we consider businesses falling on hard times in a Covid world, cutting corners & being tempted to misuse their access. 

 

4.3  The Australian Govt putting itself in the middle of that potential class action for the stolen assets of over 25 million Australians is akin to rebuilding the Treasury in the middle of a minefield.

 

5.0                     Accredited entity obligations

5.1  Putting “Trusted” in front of the name of the agency is not nearly enough.  Govts past & present have an appalling history of breaches, privacy & misuse of data. Australians are currently looking at a lot of businesses that have abused Job Keeper & Govt has protected those businesses from financial recovery.  That is vastly different from the treatment of individuals under the data match Robodebt Centrelink “overpayment” debts.  The Govt & indeed the Opposition have an unbalanced system of justice aimed wholly & solely at protecting themselves & businesses that donate to them at the expense of individuals.  

5.2  Even with long jail sentences to back up protections Govt has just found ways to prevent individuals from getting justice.  As one obvious example Senator Stuart Robert MP himself this bill’s advocate’s show on Robodebt.  I have been trying for 4 years to get an Authorised Review so I can put the information before the Administrative Appeals Tribunal (AAT), of the unlawful privacy breaches by Govt itself. These arose as a result of data match being used with both an external private College & a debt collection company. Even if I get the privacy breaches under the nose of an AAT, I am likely to get an ex- political staffer AAT Member.  Even if I get an AAT Member to determine breaches occurred, I get swung back to a Minister for Home Affairs who will determine if they want to pursue a case. 

 

6.0                   Suspension or Revocation of Accreditation

6.1  Suspensions or revocation for a cyber security incident are a pointless pursuit. Are you going to shut down access of all Optus, Microsoft, TPG users who had breaches per the link at Section 4.1 herein? Or even banks remember that major breach with the loss of bank statement file of Commonwealth Bank of Australia off the back of a Fuji Xerox truck?  I doubt it. In fact, in that example shortly after, Australian Parliament House (APH) gave Fuji Xerox even more work & data to vibe the 2016 election winners. That Census fail using sub-contractors by IBM got them a $1 billion computer maintenance contract shortly after.  The worse they are the more they get. The only entities that will lose access will be small businesses, who will have been put through the hoops, sold a whole lot of feel good, but useless cyber protections for that access.

6.2  I’ve no doubt that thanks to Covid19 games there are many businesses that will have been trading insolvent, but the smaller the business the longer it will take for that to be recognised by the Australian Taxation Office (ATO) as in Australia we have self-reporting for tax. A breach takes a few seconds & then it’s too late.

 

7.0                   Regulation and Oversight

7.1 An Oversight Authority hand picked by the Minister is not an Oversight Authority, but a mouthpiece of that Minister, reliant on that Minister for their job. Unless there are blind recruitments with no ministerial oversight & interference then this is just one big personal data grab with taxpayers picking up the bill for their own theft.

7.2 “enforce some of the protections in the Bill, such as those related to choice and deactivation of digital identities”- Govt has an appalling history of allowing choice.  The Cashless Debit Card for example has had people jumping through hoops and waiting for months & months on end to opt out.

7.3 “assist users in the event of a digital identity fraud incident or cyber security incident” – the very fact Govt has considered this should alert people to its own doubts in its own security. And based on the Australian Govt’s history with tech this is probably the only paragraph worth saving from this entire proposal.

7.4 “maintain publicly available registers showing the details of all accredited entities and onboarded entities”. Way to go…A loyalty reward scheme for political donors in the making with expenses born by the public purse.

7.5 “promote and support digital identity matters generally, for example by engaging in promotional and community awareness programs”.  Govt has used enough of taxpayers’ money for its own free electoral benefits in the Covid19 fiasco.  If this was the benefit claimed then a simple press release, that costs almost nothing, should get enough traction for anyone capable of benefiting from a digital identity to go to a Govt webpage like all the other advices from Social Services & ATO.

7.6 “allow an entity to conduct testing in relation to the trusted digital identity system.” – I’m not seeing there are any privacy benefits for businesses who are opening themselves up to having potentially a Govt tracker APP on their computers.  What I am seeing is in order for businesses to maintain their own privacy they’d have to get a computer & anti-viral software solely for running this or taxpayers are going to have to fund those businesses anti-viral checks/programs. That means increased public purse expenditure or business expenses reducing their tax liability & public purse revenue.

8.0 Advisory Board

8.1 Again the Minister picks the Advisory Board & Committees thereto. So, there is absolutely no independent source scrutinizing the Ministers actions & motive. 

 

 

8.2 The Minister’s picks NEVER afford input or protections for individuals on governance committees. Small businesses are drowned out by large enterprises.  For too long there has been poor representation in Social Services, Workplace, ATO governance committees. Individuals & small business make up the bulk of Australian entities. In Covid19 the rose-coloured glasses went. Instead of creating new stacked committees ALL Ministers time would be best spent looking at fixing fast all the existing stacked Committees.

8.3 It costs nothing to have a public inquiry to advise Govt. So why should the public purse have to pick up the casual wage bill for another bunch of ex political yes men staffers or donors? Either the Minister knows his job & has done his research on DI systems or he hasn’t. This has all the earmarks of a cyber sales job, that will waste more public money. After the fiasco of the CovidSafe APP, I seriously doubt Govt can even pick good independent cyber advisors. “CSCRC and Data61, a team of 17 cyber security experts analysed and tested the app, before handing a technical assessment to the government” (Source: -  https://cybersecuritycrc.org.au/covidsafe-app).  This committee that includes Jennifer Westacott of Business Council of Australia who a few years earlier in news reports announced a $50 Million electoral war-chest to get Liberals elected got a $50 Million grant. They “independently” kudos’d the CovidSafe APP for a disease with surface life. Really…

 

9.0                   Protection & Additional Privacy Safeguards

9.1 Govt & the Opposition have a dreadful history of breaching individual’s privacy & they have stacked the agencies to cover up for their criminality. These agencies no longer afford individuals & small business the protections they should. E.g., Privacy Commissioner’s Andie Blog ruling condoning the breach of the Robodebt victims’ privacy for publicly fighting her most probably unlawful debt. Govt has also been targeting public servants that are whistle-blowers of crimes & the legal consorts using the breach of privacy as a lever. E.g., Richard Boyle (Source: - https://www.abc.net.au/news/2021-04-29/prosecutors-proceed-case-against-ato-whistleblower-richard-boyle/100105710). E.g., Witness K & his legal defence Collaery (Source: - https://www.theguardian.com/australia-news/witness-k-case). E.g., David McBride (Source: - https://www.google.com/search?q=McBride&rlz=1C1PRFI_enAU904AU913&oq=McBride&aqs=chrome..69i57.4881j0j7&sourceid=chrome&ie=UTF-8). The Commonwealth Ombudsman’s Office, on two separate occasions doubled over backwards to avoid the unlawfulness of Robodebt.  In my own case an Ombudsman investigator wouldn’t touch the topic of privacy breaches on Robodebt & my privacy breaches or even assist me getting the Authorised Review of same.  It’s fair to say that there are only few good agencies left that have not been whipped using the threat of privacy breaches as with wild abandonment Govt has been stripping citizens privacy everywhere.  The involvement of these agencies is totally worthless & until we get an effective Commonwealth Integrity Commission to clean up the extensive criminality in Govt enabling access to even more of individuals private data that can be controlled it may be dangerous for innocent individuals.

 

 

9.2 “When verifying or authenticating an individual, an accredited entity must not send the user’s attributes to a relying party without the user’s express consent (e.g., the user may be required to check a tick box).” Huh? Govt has been giving itself increasing powers to take over people’s online interactions to the extent they can tick the box, pretending they are me, themselves. E.g., the Surveillance Legislation Amendment (Identity & Disrupt) Bill on suspicion so it can “modify, add, copy or delete data when investigating serious online crimes”. Govt with premeditation has created the suspicion itself with Robodebts using poor unsubstantiated data sources. They ignored AAT 76 times & created an admitted 400K unlawful Centrelink overpayment debts. Proven with intent they were a serious jailable crime.  (Source: - https://theconversation.com/facebook-or-twitter-posts-can-now-be-quietly-modified-by-the-government-under-new-surveillance-laws-167263?fbclid=IwAR2dpJrqXrCdCPBYalT1uyvmtqyQLaOZqjKhYxWbiL0tnYZKQV8NbzAs-E8

9.3 “The Bill allows for retention of biometric information in narrow circumstances to enable limited operational testing and fraud detection activities.”  Governments “fraud detection” activities include data matching aka Robodebt that has seen the biggest Govt legal payout since Federation started.  Govt has continued to run Robodebt despite it not using what the Statement of Agreed Facts referred to as “suitable information”.

9.4 “The Bill and TDI rules place controls on such testing, including requirements for: - approval from the Oversight Authority” (which is the Minister’s pick); “testing plans” & “only certain kinds of testing to be undertaken deletion of biometric information after 14 days.” (Just like we have seen with the Cashless Debit Welfare Card trial that has been continually extended, with no real positive results for over 6 years which is over 2 electoral terms – some test hey?).

9.5 “Accredited entities must not disclose information about a user’s activities (i.e. the individual’s access and use of the digital identity services provided by the entity) except in permitted circumstances such as using the information to provide services or comply with their obligations.” On all those multi-page fine print documents that most people gloss over from their banks etc. there is usually a section that protects the entities from retaining your data for establishing your future service needs. 

9.6 “The Privacy Act generally permits disclosure of personal information to an enforcement body if is necessary for an ‘enforcement related activity’.” Only because the Privacy Commissioner was hired by Govt & “generally” has chosen to ignore the requirements that when gathering evidence, a search warrant is required showing reasonable cause for that search. This is so that Govt can not go on a fishing expedition & target individuals for its own political benefit.

 

9.7 “Accredited entities must not use or disclose a person’s digital identity information for marketing purposes that are unrelated to the digital identity services they provide to the user.” Disclose to who & what is the point of accrediting entities at all if they are able to just act as a go-between for other entities not accredited.

9.8 “A participating relying party must not require an individual to generate or use a digital identity as a condition of being able to access their services, unless the participating relying party has an exemption from the Oversight Authority” – Which means that Govt who picked & control the Oversight Authority can discriminate & limit the trade, services & free movement of privacy conscious users who choose not to have the DI. A Digital Identity is starting to look remarkably similar to a Digital Passport that is deeply unpopular.

9.9 “Another protection that will exist in the trusted digital identity system is the requirement for the existing Services Australia identity exchange to undertake technical blinding. This protection will be contained as a condition on Services Australia’s accreditation from the commencement of the Act.”  Australians were given all sorts of assurances re My Health Record not being accessed by DHS. All that happened was a name change to Social Services Australia & used the fake Covid19 tests to hide the unlawful access to medical histories.

10.0 Powers of the Oversight Authority

10.1 “anything else necessary to fulfill its functions.” – Its powers include going into unlawful Robodebt territory again. So, I think Govt had better list every single one of those extra powers thank you.

10.2” For matters other than the additional Privacy safeguards, the legislation grants the Oversight Authority powers to: - issue infringement notices; seek enforceable undertakings; seek injunctions and seek civil penalties (a financial penalty or a fine) from onboarded entities which commit the following.”  I don’t think so. We already have the Australian Federal Police, that if they had not been completely trashed could be used. This Oversight Authority is just sounding like a Minister’s personal police force putting setting its own rules to play by & who it targets.  

10.3 $66,000 fine for onboarded entities type individuals for “Failure to comply with directions” of the Minister’s trumped up Oversight Authority; “Failure to comply with notices to produce documents” & “Failure to keep records” that may be a professional breach of confidentiality trust with their own clients e.g., reporters, doctors, lawyers & accountants; “Failure to destroy or de-identify information” which may be evidence against the Minister’s own criminality; “Holding digital information outside Australia” which is the only safe place Australians can go to for justice now. Guess again!

Conclusion

There is absolutely no benefit in the Digital Identity for individual Australians or small businesses.  All indications are it’s been set up to support its unlawful Robodebt attacks on individuals & attack small businesses for failing to assist them by placing fines on them for information.   

 

Further the Minister has even misrepresented the real saving to individual Australians is $0 unless they have an emergency requiring document replacement. Anyone can get a photocopy of their personal identity documents for a few cents & have them certified for free by Justice of the Peace in the community as a true & correct copy.  Many solicitors are willing to store these documents with Wills. Put in a Tupperware container & buried in a hole in the back garden it is pretty safe from fire & floods for an emergency.

 

Many Australians should already have their documents on file at DHS Centrelink.  If the Minister is going to assure Australians it can be trusted to store further documents maybe start in that Department that continually tells customers it hasn’t received applications & can’t find notifications on file.

 Trust me “trust” has gone.