Senator Expresses Worries About National Digital ID Creating a Centralized Repository of Data

An Australian senator has expressed his concerns over the federal government’s proposed national digital ID scheme, saying there are risks personal data could be even more centralised.

“I’m concerned about the risks of centralising data here, especially potentially biometric information, which can’t be changed if and ever it is leaked in a mass way,” Senator Matt Canavan told a Senate Committee hearing investigating the Digital ID (Transitional and Consequential Provisions) Bill 2023 on Feb. 9.

“I mean, wouldn’t it make more sense to try and decentralise this type of data, rather than create a scheme which incentivises its centralisation in one location.”

Sen. Canavan’s concerns were directed to Jordan Newnham, the executive director of corporate affairs at CyberCX, which provides cyber security and cloud services to both the government and private sectors. CyberCX is among major organizations such as the Commonwealth Bank, Westpac Bank, and supermarket giant Woolworths that have backed the federal government’s digital ID scheme.

Under the national digital ID scheme, Australians would be able to verify their identity through a digital ID system without needing to show “points” of identity every time it is needed by businesses, government agencies, and other organizations.

Instead, Australians would receive a one-time PIN from a digital ID app, which will serve as a one-stop-shop for verification across several services and platforms.

Related Stories

“It’s my understanding that the federated architecture that’s proposed as part of the digital ID scheme is sufficient to ensure the security of not creating what some might consider to be a ‘honeypot of data,’ particularly as you’ve alluded to highly sensitive and irreplaceable data such as biometrics,” Mr. Newnham responded.

“In our submission and our reviews of the bill, we are not concerned about that.”

Mr. Canavan further questioned Mr. Newnham on the need for ID centralization given that organizations such as Apple already have many Australians’ biometric data.

“I mean, this will centralize things more than currently because it’s only going to be open to people accredited through this system; that’s got to be more central than what we’ve got there,” Sen. Canavan said.

“This is creating sort of a government- or semi-government-backed system to centralize things and unnecessarily force customers into this process over time.”

In response, Mr. Newnham said the current model of providing identification documents in an ad hoc manner carried a greater risk than systematizing the entire process.

“You’re broadening the threat vector for the types of data that’s been housed wherever it is, and if you’re having to present different documentation to different people across an unstructured model currently—whether it’s in the private sector, public sector, federal government agency, state government agencies—that just widens the attack surface for threat actors to be able to find the weakest link,” he said.

No Centralization of Personal Data, Government Says

Concerns over data centralization were also put to the Department of Finance by chair of the Committee, Senator Jess Walsh.

“The legislation says that you can’t track across digital IDs … so there’s no intention from the government to store the data collected and used by private sector digital ID providers for their customers,” said John Shepherd, assistant secretary for digital ID and Data Policy at the Department of Finance.

“The government’s digital ID again seeks to limit the amount of information it stores to enable identification or verification of the person, and with their consent if needed to access a service.

“So the simple answer is no to your question. There is no centralization of all digital ID information.”

Duncan Anderson, acting assistant secretary of the digital ID legislation, confirmed the government’s stance, saying that additional safeguards under the bill would allow Australians to deactivate their digital ID.

“There’s prohibitions or restrictions on sharing certain types of sensitive information through either prohibited attributes or restricted attributes.