One of Australia's worst ever data breaches occured in September 2022 when the telecommunication carrier Optus was attacked by cybercriminals and personal data on approximaley half the population was leaked. It triggered a mass response, knowing that so much personal data used to establish identity was coming onto the criminal black markets; many governments expedited the renewal processes for driver licences and the like.
And there was sudden renewed interest in the various digital identity initiatives of Australian state & federal governments. It just so happened that the federal myGov program was under review, andthe scope of that examination was broadened (at least unoffocially) to consider if the newish myGovID could be modified somehow to provide improved "digital identity resilience".
But it's a mistake to think of these as identity problems. They are data problems. To be precise, it’s the quality of the data that we use in identification that needs to be addressed.
Frankly, there is no such thing as "identity theft". What happens after a brach is that personal details used to establish identity fall into criminal hands and get reused behindour backs to impersonate us. That sounds like I’m splitting hairs, but the point is we can’t protect people by just updating their data. That’s no lasting fix. Changing driver licence data or passport data is not a sustainable response when another breach is inevitably around the corner. People deserve better safety in a modern digital economy.
The root problem that makes people vulnerable after a breach today is that businesses can’t tell the difference between original data and copies. Websites can’t tell if a form is being filled in by a genuine customer or an imposter. So stolen data is traded on black markets and used by imposters behind our backs.
Data is the lifeblood of the digital world. Data sharing can only expand in coming years. Of course excessive, nefarious, covert and deceptive data collection must be fought, but well-intended data collection must continue. Instead of changing the way data is used, we must change the way data is presented.
We must make data better.
Instead of having people type raw numbers into forms to establish their bona fides, we should transition to digital presentation of cryptographically protected facts and figures. Digital credentials should be signed by their issuers when issued, to prove their origin, and must be signed again by their holders when presented, to prove the owner consented to each transaction, or was at least actively involved.
The signing is relatively easy. It’s built into mobile technologies and used seamlessly every time we bring up a virtual credit card from a mobile phone wallet.
We should be adding official digital copies of driver licences, Medicare cards, passports, and all official facts and figures into digital wallets — whether they be government mobile apps such as that of Service NSW, the Apple and Google wallets, or new versions of the future Open Wallet standard.
People should be able to move their important data around with exactly the same convenience, privacy and security as they move their digital money.
Stay tuned through 2023 as I publish more on Data Protection as a Service, andcheck out our Constellation Shortlist of Data Protection Infostructure solutions.