Australia's National ID System Will Be Awful... And Then Great
18:17 Share

Hi everyone and welcome to another episode of Seriously Risky Business, the podcast we do here at Risky Business Media, which is all about, I guess, government policy, intelligence matters, things like that when it comes to cybersecurity. My name's Patrick Gray. So we'll be chatting with my colleague, Tom Uren, in just a moment. But before we get to that, I should mention that this podcast receives support from the William and Flora Hewlett Foundation, as well as from Lawfare. And we also do have sponsors.

for these podcasts and this week's sponsor is Island. And Island of course makes an enterprise browser, which is being used oddly enough as a real like rip and replace for virtual desktop infrastructure. So people are much more using enterprise based browsers to fulfill that function now. It's a function that Island fulfills very well. So yeah, if you Google for Island browser, you will find them. And I recommend you do because it's a very interesting technology. Tom,

We're going to talk through the newsletter you've written for us this week. The first thing we're going to talk about is something that I touched on very briefly in yesterday's show with Adam, which is this proposed identity service in Australia called TEX or the Trust Exchange Service.

which really looks like the sort of thing that I've been hoping governments would move towards. They will obviously make mistakes when doing this, but why don't you walk us through the basic idea of what the trust exchange actually is? The idea is that there, or at least my take on it, is that there's this gap in the way online identity works right now. And the gap is huge.

proving that your online credentials, whatever, actually correspond to a real person. And so there's cases and quite a lot of cases where you want to do that to make things easier. And what happens right now is that every time you interact with a business where you need to prove that you are who you are, you have to go through the same process. So like with a bank.

In Australia, there's a process where you need to produce various ID documents. With a telco, same thing. Most countries, you need to prove that you're a person and who you are. Real estate, any sort of big financial transaction, you need to have someone, a real person who's on the hook rather than just an anonymous email address. So there are all these...

cases where proving that you're a real person is very very important and right now the internet kind of there's no internet infrastructure to do that so each business comes up with their own process so the idea with the trust exchange was to take all that away and create a government

government service so it's not entirely the plan is not for it to entirely be a government service but a government I guess sponsored or a government framework for that kind of service so now in in that future world if I want to go to a bank and create a bank account I

Can just use that service and it says okay this account corresponds to Tom. We know that's a real person Our requirements for know your customer are satisfied. We don't need to get Tom's License or his passport or any other kind of ID number. We've got that verified credential We're good to go. So It would be much easier to create bank accounts

The same with telcos, the same with big transactions. It's not producing different forms of ID every single time. So that's the idea. There's also a neat concept where you could prove that you have certain attributes. So I want to prove that I'm old enough to drink.

You can look at me and tell it's obvious, but for many people the current, you know, the way people do it now is they show their ID like a driver's license, which has got perhaps your home address to a bouncer who, you know, who knows what the bouncer is going to do with that. In this scheme, you would just

tap your phone and the venue would get a yes, no confirmation. Yes, this person is over 18. That's it. And perhaps a photo to make sure that they're not using someone else's phone. Yeah. So the, yeah, there's different ways you could do that. I think the, that would make sense. Yeah. So to me, this felt like it pointed out that this is something that we all just take for granted. There's all these,

identity documents that you have to give to different businesses all the time. And at the same time, there's a kind of layer above that where companies like Google, Apple, Facebook and others have got these

I guess they're called social logins often, where you can log in to different services. Yeah, I mean, it's their standard OAuth stuff, right? Sign in with Google, sign in with Facebook. And as you point out in the newsletter, and I thought this was a brilliant way to frame it, is you cannot sign in with Google to create a bank account, right?

Because the level of attestation just isn't there. I mean, this is a good idea on many, many levels, right? As you pointed out, these organizations will no longer be required to hold this PII anymore. When the Optus breach happened, it turned out they were holding a lot of like driver's licenses and passports and things like that.

belonging to their customers, but they kind of needed to do that in case someone racked up a $1,000 bill and then said, what are you talking about? I never used that service. And they can say, well, here's your passport that you handed over for us to scan when you went into the shop to order the service. So there have been some business requirements that have required companies to hold onto this sort of information where really under a regime like this, they wouldn't have to. I mean,

It was often said for a time that data was the new oil, you know, and people were going out and collecting as much data as they wanted. And I think the twist on that phrase now is data is now more like nuclear waste, right? Like it is dangerous and difficult to store. So this does solve a bunch of problems. And indeed, if we get far enough down the line with it,

It's entirely possible that you could use it as for these sort of federated logins, right? If you wanted to spin up a bank account, there's no reason you couldn't. If you're satisfactorily authenticated via your computer to this identity service, you should be able to say, yep, authorize me into creating this bank account or doing this transaction or whatever. That's going to come with a whole host of other issues, but it does solve a lot of problems.

Yeah, yeah. So it's really building across or on top of a government scheme. So in Australia, there's a government ID service and you can identify yourself to that. And the idea of that is it makes it easier to access government services.

Now, this is both a great idea and I think something that will be extremely painful. And so the minister responsible, Bill Shorten, he announced it at the press club. And it's the sort of thing politicians announce because they think that they may be onto a winner that will provide something useful to Australian citizens and be, you know, good electorally.

Now, my unfortunate take on it is that it's going to be extremely painful and Bill Shorten will see no benefit whatsoever from this. And it's sort of because the way you have to frame it is it's safe and secure and so it's opt-in. Opt-in means that it's very hard to get traction because people are, I think, naturally just cautious about anything to do with identity and privacy and the government.

And so when I thought about services like sign in with Apple or sign in with Google, there's a very good reason that they don't hold your passport and driver's license. It's because I'm not going to trust those companies with that information, like full stop. And they're probably some of the companies some people at least have the highest faith in, even more than governments believe.

And so there's a I think there's a real difficulty here like the the system has identified or the system the fact that they're working on it has pointed out to me that there's a real gap that I had never really thought of before a gap in online identity verification But there's a real problem getting people to accept it and use it I think so I imagine what will happen is they'll roll it out It'll be terrible

People won't use it. And in five or 10 years, it'll have gradually improved. The new generation will come through and just start using it without thinking about it. And in 15 or 20 years, we'll be in this happy place. But unfortunately, Bill Shorten's not going to get any political kudos from it.

No, I mean, I think you wrote in your newsletter that it's going to be awful and that it'll be good, right? Eventually. And that is typically how these things go. I mean, I feel like the Australian government gets some... Like, user experience with Australian federal government systems is horrible. Yeah.

like truly, truly bad, just terrible. But they tend to do some of the fundamentals right. Like we do not have a scandal plagued government that is always losing data. A project like this where they're going to be holding a lot of PII, it tends to be the sort of thing where the privacy and security scoping is done right. So my concerns are definitely around the user experience and it just being a clunky horror show of cobbled together data.

crud, more so than them losing data and not being able to be trusted with it. Yeah. So there was another government project called My Health Record, which was basically an electronic health record for all of Australia. It was introduced maybe four or five years ago now, I think. And at the time, there was a huge amount of concern about the privacy implications of an electronic record. That's opt-in. And

Ever since the introduction, I've heard basically nothing about it, which to me seems like a success story in that probably my kids will use it. And I think over time, people will...

uh, well, we'll, we'll just gradually use it. It eases a whole lot of things. Let me just slow your roll there, Tom, because your kids are older than mine and my kids are six and three and they're in it. Yeah. So I think that's really, they're going to get them while they're young. Uh, I think is the, uh, the rollout plan for that. And it does make life a lot easier to just be able to have those records available to any doctor. Um, so yeah, that's how that, that's how they've done it. Get them young. Yeah. And in terms of a government project, uh,

you know, achieving a real benefit over 10 years, I think is perfectly fine. I think it's just the, it's sort of politically difficult to get these up. So funnily enough, my boss at when I used to work at ASPE about five years ago, wrote a paper on digital identity in Australia. And he said at the time it needed legislation. So that was in 2018. And the legislation that

supports this, provides check safeguards. It installs the Australian Consumer and Competition Commission as the regulator. That passed this year. So it's been a long road already to get it to this state. Yeah. I mean, we've seen other things as well. There was briefly going to be a Centrelink card. Centrelink is Australia's welfare agency, but it is also responsible for

distributing a lot of benefits like childcare subsidies and things like that. So most Australians will have some sort of interaction with Centrelink and there was going to be this card that it was a smart card and it had all crypto stuff and similar concepts to here. And then a few people who like have a clue how to look at the way their crypto scheme and just said, oh my God, no, that thing died in the end. I can't even remember how it died. I think it just withered and died. It wasn't even axed. It just went away.

Somehow you get the feeling, though, that this won't do that. But look, let's move on to the next topic that we're going to talk about. And I was really glad you wrote about this because there's been some reporting. I think Kaspersky was one of the companies that was reporting on this, that Chinese APT groups have been targeting systems in Russia.

Now, the Twitterati or the Exorati or whatever you would call them these days, you know, sort of public commentators have been seizing on this and saying, look, see, China is backstabbing Russia, even though they've got this no limits partnership and whatnot. And China is giving at least some form of tacit approval to Russia's actions in Ukraine. And look, they're hacking their computers. But this is pretty standard. I mean, friends...

I mean, they're not the closest allies in the world, but they are friends and conducting espionage on each other, pretty sort of normal, right? So I guess you've written something here saying, don't read too much into this. Yeah, pretty much. So I guess at one level, there is concern that they espouse that they have a no limits partnership. That's the phrase that the, I think it was Putin or maybe Xi used about the relationship. Now,

There is no such thing as a no-limits partnership or friendship between countries. There's always self-interest. And spying on even your allies is not uncommon. I don't know if I want to call it standard, but it's not unusual at all. So one example that I didn't know is that even up in World War II, the British were attempting to break US diplomatic codes,

up until Pearl Harbor, so December 1941. And when you think about it, that makes perfect sense. Like the Brits are involved in an existential struggle. The U.S. is not yet involved. We want to know what the U.S. is thinking. Trying to understand their diplomatic comms is like that just absolutely makes sense.

Now, so there's also the possibility that if that type of activity is discovered, you'll get blowback. So one example is in the wake of Edward Snowden's leaks, there was basically a political blowup between the US and many European governments. One of the stories is that NSA was listening into Angela Merkel's phone calls, her mobile phone calls.

So that is the risk of conducting those sorts of operations, that they'll be discovered somehow and you'll have diplomatic fallout. And those particular disclosures, I think, have had huge ramifications for the relationship with Europe. Let me just pick you up on that. Do you think that's really true? Because the impression I got through a lot of that was,

was that European politicians were to a degree feigning outrage. I think that is true, but I think part of the feigning outrage resulted in legislation that was painful for both sides to work through. So some of the European court legislation... Now, I wouldn't...

It's hard to know if overall this whole thing is bad because there's been improvements in internet security. Some of the stuff the US has committed to I think is not bad in terms of oversight of signals intelligence processes.

I think it's probably much more painful than the actual benefits. But I think that on balance, having those protections spelt out is not a bad thing. But I'm sure that if you'd step back in time, the US and perhaps even some EU politicians would prefer not those leaks not to have occurred so that they didn't have to deal with the pain and the angst.

I mean, I love what you've essentially told me here is, yes, it was theatrical, but they had to follow through. Yeah, yeah. I think that is my feeling. Now, of course, who knows? But when it comes to China and Russia, the situation is very different. So Russia is not quite a vassal state, but it's definitely relying on China for support.

both its war and also the economy. And so it can't afford to feign outrage and force, have some kerfuffle with the Chinese leadership about these incidents. It's really got to sort of sit back and take it. Losing some

intelligence, losing some secrets, that's a lot better than losing Chinese economic support and also the support for weapons manufacturing. Yeah, I mean, it might not be China's vassal state, but it is certainly also not China's peer. Yeah, that's right. Vassal state is too strong, but there is a real dependency there.

Well, they're on their way, right? If things continue the way that they are. Tom, you're in. That's all we're going to have time for. Thank you so much for joining me to talk through your work this week on the newsletter. People can find and subscribe to that one at news.risky.biz. Yeah, I'll look forward to doing it with you again next week, mate. Cheers. Thanks a lot, Patrick.