Senator Concerned National Digital ID Will Create Centralised Treasure Trove of Datathedigitalchaps


One cyber expert says the risk of creating a ‘honeypot of data’ for hackers was low.

An Australian senator has expressed his concerns over the federal government’s proposed national digital ID scheme, saying there are risks personal data could be even more centralised.

“I’m concerned about the risks of centralising data here, especially potentially biometric information, which can’t be changed if and ever it is leaked in a mass way,” Senator Matt Canavan told a Senate Committee hearing investigating the Digital ID (Transitional and Consequential Provisions) Bill 2023 on Feb. 9.

“I mean, wouldn’t it make more sense to try and decentralise this type of data, rather than create a scheme which incentivises its centralisation in one location.”

Sen. Canavan’s concerns were directed to Jordan Newnham, the executive director of corporate affairs at CyberCX, which provides cyber security and cloud services to both the government and private sectors. CyberCX is among major organisations such as the Commonwealth Bank, Westpac Bank, and supermarket giant Woolworths that have backed the federal government’s digital ID scheme.

Under the national digital ID scheme, Australians would be able to verify their identity through a digital ID system without needing to show “points” of identity every time it is needed by businesses, government agencies, and other organisations.

Instead, Australians would receive a one-time PIN from a digital ID app, which will serve as a one-stop-shop for verification across several services and platforms.

Related Stories

Digital ID Needs Protection Against ‘Mission Creep’: Researchers

“It’s my understanding that the federated architecture that’s proposed as part of the digital ID scheme is sufficient to ensure the security of not creating what some might consider to be a ‘honeypot of data,’ particularly as you’ve alluded to highly sensitive and irreplaceable data such as biometrics,” Mr. Newnham responded.

“In our submission and our reviews of the bill, we are not concerned about that.”

Mr. Canavan further questioned Mr. Newnham on the need for ID centralisation given that organisations such as Apple already have many Australians’ biometric data.

“I mean, this will centralise things more than currently because it’s only going to be open to people accredited through this system; that’s got to be more central than what we’ve got there,” Sen. Canavan said.

“This is creating sort of a government- or semi-government-backed system to centralise things and unnecessarily force customers into this process over time.”

In response, Mr. Newnham said the current model of providing identification documents in an ad hoc manner carried a greater risk than systematising the entire process.

“You’re broadening the threat vector for the types of data that’s been housed wherever it is, and if you’re having to present different documentation to different people across an unstructured model currently—whether it’s in the private sector, public sector, federal government agency, state government agencies—that just widens the attack surface for threat actors to be able to find the weakest link,” he said.

No Centralisation of Personal Data, Government Says

Concerns over data centralisation were also put to the Department of Finance by chair of the Committee, Senator Jess Walsh.

“The legislation says that you can’t track across digital IDs … so there’s no intention from the government to store the data collected and used by private sector digital ID providers for their customers,” said John Shepherd, assistant secretary for digital ID and Data Policy at the Department of Finance.

“The government’s digital ID again seeks to limit the amount of information it stores to enable identification or verification of the person, and with their consent if needed to access a service.

“So the simple answer is no to your question. There is no centralisation of all digital ID information.”

Duncan Anderson, acting assistant secretary of the digital ID legislation, confirmed the government’s stance, saying that additional safeguards under the bill would allow Australians to deactivate their digital ID.

“There’s prohibitions or restrictions on sharing certain types of sensitive information through either prohibited attributes or restricted attributes.

“So biometrics are only being used to verify a known person’s identity, not to try and identify people. Also restrictions on the use of unique identifiers in data profiling, as well as on the use of personal information for direct marketing.”

In contrast, Digital Rights Watch has warned against personal data being repurposed for surveillance, adding that the digital ID system must be “genuinely voluntary,” with practical non-digital alternatives available for Australians.

Daniel Y. Teng and Monica O’Shea contributed to this report.