Blindsiding the Pollies & Ignoring the Public.
How digital identity systems are ‘done’ in Australia & New Zealand.
Australians might not know about the phased expansion of the Australian Government Digital ID System (AGDIS). AGDIS work started in 2015, but it has never been legislated, reporting is scarce and you won’t seen critical analysis in the legacy media.
The Digital ID Bill 2023, which is halfway through Parliamentary process, locks much of these policies into legislation. But the processes keep being, well, undemocratic.
Australia’s Senate have just passed Digital Bill 2023. No debate was permitted, nor questions permitted to be asked of ministers. The Bill now passes to the lower house, the House of Representatives for debate.
There is no doubt that this is massive. As the Australian Parliament’s Explanatory Memorandum states:
‘Digital ID is a major economy-wide reform with significant economic, security and privacy benefits for individuals and businesses.’
The Bill primarily aims to strengthen the operation of an accreditation scheme and enables the ‘expansion of the AGDIS to an economy-wide digital ID system’.
Most of the digital identity framework in Australia is already in policy but unlegislated. The Supplementary Explanatory Memorandum states:
‘An existing policy framework - the unlegislated Trusted Digital Identity Framework (TDIF) - sets out technical standards for entities providing services in the unlegislated AGDIS, and provides a voluntary accreditation framework for entities who are not providing services in the unlegislated AGDIS.’
Therefore, as the policies have largely evolved in policy rooms, without media coverage, most Australians probably won’t know what is going on. They will have no idea of how mature the policy is across Australian agencies. Online searches on ABC.net.au, The Australian, Sydney Morning Herald, The Herald Sun and News.com.au don’t seem to mention the Australian Bill nor do they mention AGDIS.
Are Australians being misinformed or disinformed if the media is not communicating to Australians, exactly what is going on inside government agencies?
It’s not only the public. Elected members won’t have spent much time delving into the guts of the criss-crossing and often quite technical policies. But believe me, the FinTech industries will know all about it.
Digital identity systems present a massive democracy problem. But no-one knows and we don’t have the language for why these systems might present a transfer of power away from individuals in society.
It is, unfortunately, quite normal that policy relating to digital ID architecture, frameworks and banking systems are established and developed with negligible public participation, but with comprehensive engagement with selected stakeholders who reside inside and outside governments.
It’s complex, and theorists are describing how humans are turned into data, how the platforms work, and how surveillance is the inevitable endpoint:
In the study of digital identity, a datafier view is essential to grasp the conversion of human beings into machine-readable data. Such a view needs, however, to be integrated with a perspective centred on platform features, where digital identity systems are viewed in their nature as platforms whose core-complement architecture generates surveillance outcomes.
It’s no surprise the Australian media is largely silent. New Zealand legislation concerning digital governance architecture (2021-2023) was not meaningfully covered by the legacy news in any meaningful form, other than to promote the benefits. It’s a pattern that probably repeats elsewhere.
This might be the biggest transformation of global democratic governments since the 1980’s but the enormity of it, what the changes might mean, remained largely unparsed and undisclosed.
Why should we be concerned?
Digital IDs are promoted as being convenient and re-usable. People don’t have to go to the bother of providing lots of copies of ID. Digital ID systems are viewed has having great ‘economic potential’.
As the Australian Treasury stated:
‘…stakeholders have identified Digital ID as a key digital economy initiative that could help build trust in the payments system.’
The Australian Treasury document: A Strategic Plan for Australia’s Payments System, imagines a trustworthy, accessible, innovative and efficient system. Within this system, Digital IDs become a ‘key enabler’:
In current discourse it is logical that the Australian Senate pass Digital ID Bill 2023.
The Bill aims to:
· legislate and strengthen a voluntary Accreditation Scheme for digital ID service providers that wish to demonstrate compliance with best practice privacy, security, proofing and authentication standards;
· legislate and enable expansion of the Australian Government Digital ID System (AGDIS) for use by the Commonwealth, State and Territory governments and eventually private sector organisations;
· embed strong privacy and consumer safeguards, in addition to the Privacy Act 1988 (Cth) (Privacy Act) to ensure users are protected; and
· strengthen governance arrangements for the Accreditation Scheme and the AGDIS, including by establishing the Australian Competition and Consumer Commission (ACCC) as the Digital ID Regulator, and expanding the role of the Information Commissioner to regulate privacy protections for digital IDs. Both these regulators will have a broad range of powers under the Bill, including to issue civil penalties.
While the accreditation scheme for service providers is voluntary, if providers want to provide services within the government’s AGDIS, accreditation is compulsory. Legislation and communications promise best-practice privacy arrangements.
Unfortunately, the privacy rules and guidelines have been developed by the institutions who are developing the regulations, and therefore reflects the concerns of these institutions.
If there are weaknesses or problems with these technologies that could lead to abuse of power, inside or outside of government, that certainly won’t be discussed when a Bill is forced through without debate.
They certainly won’t be discussed by Parliamentary Select Committees either.
New Zealand’s Digital Identity Services Trust Framework Bill
Earlier in 2021, New Zealanders expressed concern about a Bill that set up the regulation and accreditation scheme for service providers, but they were abjectly ignored by the Economic Development, Science and Innovation Committee.
New Zealand’s Digital Identity Services Trust Framework Bill received Royal assent in April 2023. Over 4,500 people submitted to the Bill. Most of them (3,600) were dismissed in the Select Committee report who attributed ‘the influx to misinformation campaigns.’
The Select Committee process effectively wrote out the public participation process. Then it was passed, along with 9 other bills in one week.
Because it’s all so urgent.
I’m a trustee of the Physicians and Scientists for Global Responsibility (PSGRNZ). Our submission to this Bill stated that the Bill:
‘…lacks a clear purpose and a clear intent to protect New Zealand people and New Zealand interests from exploitation and vulnerabilities; and it lacks flexible functions and powers that can address, in a timely fashion, emerging new threats to New Zealand people and New Zealand interests.’
PSGRNZ pointed out many problems:
· The New Zealand public were not consulted on that Bill.
· Stakeholder consultation was narrow and relevant groups were excluded.
· Privacy was the dominant issue while human rights were ignored.
· Risks were limited to non-compliance of digital service providers.
· The governance and compliance regime does not give the regulators powers to consider greater abuses.
· Conflicts of interest and global power structures were not discussed. I.e. Global industries with many divisions may have conflicts which arise from interests and investments across finance and technology sectors
· The Framework aligns with Australia, Canada and the United Kingdom, which is part of a Single Economic Market Agenda.
These issues were not addressed in the Select Committee report. The Select Committee, chaired by Jamie Strange, and included Glen Bennett, Naisi Chen, the Hon Judith Collins and Melissa Lee did not concern issues raised by submitters, but rather focussed on technicalities including the drafting of rules and clarification on Bill content.
Other than Collins, none of the MPs had a background that equipped them for judgement the complex legal, social and technical demands required of a committee considering such legislation. This is evident in the Report which ignored public comment.
Judith Collins is currently serving as Attorney-General and the Minister for digital everything - Minister of Defence, Minister for Digitising Government, Minister Responsible for the GCSB, Minister Responsible for the NZSIS, Minister of Science, Innovation and Technology, and Minister for Space.
THE PROBLEMS
Accreditation schemes act in favour of the regulated industry.
The Australian Digital ID Bill provides for three kinds of Digital ID services: attribute service provider, identity exchange provider and identity service provider. The service providers provide services into the federated digital ID system
‘which involves an identity exchange that facilitates data flows between service providers and the organisations that use their services, which are referred to as relying parties.’
The accreditation scheme enables public and private sector identity service providers to be accredited based on ‘based on requirements set out in the Trusted Digital Identity Framework (TDIF).’
The Australian Bill sets in place a variety of governance and regulatory mechanisms to administer the Bill and promote compliance with the Act. These governance mechanisms do not appear to provide direction or resourcing for the entities to review the global landscape on digital identity platforms and the attention for abuse of power by service providers, whether as public or private entities, and problems of conflict of interest.
Their scopes will be much narrower than that, directed towards privacy considerations and focussed on the local landscape and problems, such as harmonisation and a common technical language, when they occur.
Digital ID schemes for the public will be presented as voluntary systems.
As we saw during COVID-19, laws put in place arrangements that result in the government making rules, and business making rules, that are ‘voluntary’ but if individuals do not comply with them and sign up, they will have limited access to public resources and jobs.
In New Zealand it is increasingly difficult to get a job in government, or apply to university if you don’t have a Digital ID. Immigration is easier if you have a Digital ID. So, it’s not as if you have to have one, but the path is smoothed, the rails are greased if you do.
It’s expected that this will become the way that business operates. Requiring that future employees present an accredited Digital ID will simply be seen to be efficient and require far less administration, saving money on processing fees. In tight job markets it’s a good ‘sifter’.
Business will put obligations in place – they will by default act to encourage take-up of Digital ID services, particularly if they’re owned offshore, and take such action in other jurisdictions.
A constitutional architecture that protects human rights is absent.
In an earlier submission to New Zealand’s discussion document Towards a Digital Strategy for Aotearoa, the Physicians and Scientists for Global Responsibility (PSGRNZ) argued that the strategy document provided little assurance that the fundamental rights of the individual would be protected – and prioritised against claims of a ‘generalised public interest’.
PSGRNZ proposed that the digital framework proposals in New Zealand lacked the constitutional underpinnings that could ensure individual rights and freedoms are not eroded. We quoted Michelle Bachelet the UN High Commissioner for Human Rights who stated:
‘The digital revolution is a major global human rights issue. Its unquestionable benefits do not cancel out its unmistakable risks.’
Bureaucrats enthuse that if problems occur, they will be righted through judicial review. The same bureaucrats probably know how difficult judicial review processes are, and the barriers to judicial review which include financial and expertise.
External privacy safeguards – but no protections on information shareability inside government.
The Bill emphasises that the safeguarding of the privacy of personal information is critical and is a ‘design feature’ of the Bill.
While express consent to share information with external relying parties is built into the Bill, the potential for personal information to be shared within government agencies is not discussed.
I’ve discussed this at length at Brownstone Institute, stating:
‘The sharing of the biometric and digital data of citizens is operational across New Zealand government agencies and permitted by the Privacy Act 2020. Webbed networks of digital information sharing are already occurring in New Zealand through approved information sharing agreements (ASIAs) across government platforms. ASIAs have increased since the start of the pandemic. It’s the backend sharing of data that ordinary Kiwis don’t see.’
Governments and banks envisage Digital ID systems as part of a greater digital platform.
Digital architecture is introduced bit-by-bit. Each ‘bit’ of legislation is then compartmentalised to that piece of technology.
Inside the government sectors who are rolling out this technology, inside the banking sector, Digital IDs are simply seen as a non-controversial piece of a greater architecture or platform that will lead to greater control by governments over identity, to prevent fraud for example, and greater precision in the implementation of policy.
Effectively Digital ID legislation can get through Parliament without a debate on human rights. There certainly won’t be any discussion on the capacity for governments weaponise surveillance activities and toggle ID’s to other permissions.
There won’t be discussion on how, in a recession spurred by inflation and accelerated by high interest, with increasing poverty, central bank digital currencies will be available, but only if the individual signs up for the Digital ID.
Malcolm Roberts shared an image which demonstrated how ambivalent and torn the Senate were. Yet this is major scaffolding legislation.
The instillation of digital identity frameworks resembles, the more I look at, a control grid. The legislation is designed to expand with need, much of this by way of Orders in Council, secondary legislation that doesn’t have to go through Parliament at all.
I can only guess that many elected members are stymied by a combination of ignorance, ambivalence and the problem of overload.
In New Zealand, elected members are resource poor. The only ‘legitimate’ information providers seem, again and again, to be white papers from the industry groups and bureaucracies intent upon a new policy innovation, that naturally bends towards greater take-up of industry products.
So, I suspect that in Australia it might be the same. There won’t be a language in Parliamentary debate that can encompass human rights concerns, the problem of policy capture by the big global companies with investment arms into digital finance and digital surveillance. There won’t be a discussion about the problem of information sharing of an individual’s identity inside government, because privacy only concerns privacy to outside interests – the public sector.
There won’t be attention drawn to wee conflicts of interest if Blackrock and Vanguard should have major interests in the companies which act as the digital service providers to private banks and the government; the companies which own the cloud tech; or in the companies that are the service providers helping develop central bank digital currency (CBDC) integration. Then we might ask whether they have interests in the companies that own the surveillance hardware; the companies which work in surveillance (with the private or public sector, domestically or globally); and the companies that develop the algorithms to ID citizens.
All these companies are important stakeholders that always need to be consulted.
The public are not important stakeholders and it appears from the lack of debate in the Australian Senate, nor are their elected members.
Just what this legislation might achieve in terms of population surveillance and control, and the relatedness of benefit to private industry, the co-developers of the tech that might be taken up and used by governments, and what happens in that mysterious cloud, is obscured and outside any debate.
I’ve quoted privacy expert Elizabeth Renieris before, and I’ll probably quote her again:
‘Governance is increasingly undermined by the complexity and opacity of privately owned and operated technologies deployed in public settings or procured by public entities in the provision of government services.’
Undermined. It’s a chronic drip. It’s crescive. It’s weaponised by commercial in confidence agreements, by trade agreements. By secrecy.
Except if you are society.
The screeching litany from the panoply of virtue signalers regarding public and individual rights, protections, safe-guards, freedom to choose is stunningly absent as you point out. And what of the continued corporatisation that DID represents of the sovereign living person?
Very scary - what to do? Apart from writing sleuthing articles like this one?