Identity in Australia:
Complexity, Crime and Cost: $1.6 Billion pa Impact
The economic impact of identity crime to Australia is estimated to exceed $1.6 billion every year.
And every year, the personal information of an estimated 1.7 million Australians is stolen or misused (Australia has a population of 23 million people.)
This makes identity crime one of the most prevalent personal crime types in the country.
On 21 October 2014, the Australian Government released its report of the National Identity Crime and Misuse Measurement Framework (referred to here as the Identity Crime Report) as part of the National Identity Security Strategy. This Identity Crime Report is compelling reading for a number of reasons. It claims to be the first attempt by any government worldwide to “systematically measure the incidents and impacts of identity crime” and it is well worth having a look at the methodology.
In bringing together available data from over fifty different Australian Commonwealth Government, Australian State and Territory Governments, as well as the private sector, this report provides an insight into the fragmented status of the national identity infrastructure in Australia.
In addition to the vulnerability issues highlighted in the Identity Crime Report, the strategic risks related to identity are also highlighted for concern in prominent current and related Australian Government reviews and reports. The current inquiry into Australia’s Financial System states that Australia “…has not yet developed a detailed approach for the future of digital identities” and “…does not have a single over-arching technology strategy in place.”
How is it that Australia finds itself in this vulnerable situation? Did it not see the digital disruption coming and the role that identity would play?
To understand how close Australia came to having a world leading robust digital identity infrastructure – and how far we are from this today – it’s important to look at an initiative during the past decade to introduce a national smartcard across Australia, and to contrast the underlying risks at that time with the risks described in the Identity Crime Report.
I was the Chief Technology Architect of this national digital infrastructure program – designed to deliver a smartcard capability, reciprocity framework and architecture to strengthen Australia’s identity infrastructure. This smartcard project, called the Access Card, was terminated on political grounds following the change of government after the Australian national general election in 2007.
By way of background, unlike many countries, Australia doesn’t have a national identity card. And nor was the Access Card intended or planned to be an identity card, although this was widely misrepresented and misreported in the media and by commentators. It was however, an identity service that was to be part of a broader ecosystem of standards and reciprocity.
Millions of Identity Credentials
The Identity Crime Report characterises Australia’s national identity infrastructure as a “…complex federated network…in which around 20 government agencies manage over 50 million core identity credentials”. These credentials include driver’s licences (issued by six Australian states and two territories), passports, Medicare cards, birth certificates and visas. In addition to these 50 million government identity credentials, there is a further comparable number issued by private sector and non-government organisations.
Many of the government issued credentials used to establish and prove
identity have few or no security features, and according to the Identity Crime
Report, the price of fraudulent identity credentials “…suggests that they are
relatively cheap and easy to obtain.” According to the Australian Federal
Police, “…the price of fraudulent identity credentials ranges from around $80
(Medicare cards) to around $350 (driver licences)…” and these prices were not
for the most recent versions that contain state-of-the-art security features.
According to the Identity Crime Report, “…the fact that Medicare cards are the cheapest fraudulent credential on the black market suggests that they are relatively easy to produce, particularly in light of the fact that they contain very few security features, such as facial image or hologram.” This was a known vulnerability that was to be addressed by the Access Card program.
Credentials that are in ubiquitous use and have weak security features (such as Medicare cards and driver licences) are more likely than other credentials to be used to facilitate identity crime, according to the Identity Crime Report. This underscores the importance of verifying the information presented on these credentials with the issuing agency.
The Document Verification Service (DVS) delivers this capability, enabling user organisations to match the biographical data presented on identity credentials with the issuing authority. The DVS was to be a key pillar of the Access Card program, as it has been long recognised that this verification service strengthens the evidence of identity processes for government and the private sector.
Notwithstanding the known vulnerabilities of weak government credentials, there are unacceptable systemic vulnerabilities as a result of weak processes and practices to do with notification of suspected frauds and verification of credentials in use. According to the Identity Crime Report, there is currently limited usage of the DVS by government agencies with only one of the eight Road Traffic Authorities and RBDMs currently using DVS.
Originally, the DVS was only available to government agencies, but in a very positive move, the use of the service has been extended to private sector organisations, particularly those with legislative obligations to verify the identities of their customers. In contrast to the limited usage of the DVS by government agencies, there is strong demand for use of the DVS amongst private sector organisations who have to deal with the commercial impact of weak government credentials.
The identity processes and card security vulnerabilities highlighted in the Identity Crime Report have been known for many years, and were among the key drivers for the Access Card program. The vulnerabilities in these government-issued POI credentials (such as driver licences and Medicare Cards) and POI processes (such as verification and notification) had and still have significant ramifications for the government’s service delivery arrangements.
In April 2006, the Australian Government announced the introduction of a health benefits, veterans’ and social services Access Card to replace up to 17 existing Australian Government benefits plastic and paper cards and vouchers.
In 2006, the Access Card KPMG business case documented the appalling consumer experience and exorbitant costs associated with government service delivery, much of which was driven by manual, repetitive and confusing identity processes. Maintaining different standards of POI in each agency. Providing the same information to different agencies, and repeatedly to the same agency. Multiple cards for different concessions and entitlements, and horrendously in the digital age, many paper-based – with 24 cards in use just in the Department of Human Services (DHS) services system. In 2006, DHS agencies were overly reliant on face-to-face interviews with 110 million face-to-face transactions each year.
So, what has changed from a government service delivery perspective?
Compare 2014. Notwithstanding the billions of dollars that have been spent on technology over the past decade – and acknowledging the considerable progress has been made in some areas, the Australian Government service delivery and associated processes remain largely manual, highly repetitive and complex. Many of the (now) 170 million face-to-face transactions per year are to prove identity. All the multiple cards – and more – including paper-based cards are still in use.
The Access Card was designed to utilise smartcard technology underpinned by biometrics to streamline and modernise the delivery of Australian Government health and social services. The Access Card program collaborated on the development of the smartcard interoperability standard ISO 24727. This would mean that any smartcard compliant with the interoperability standard (such as a smartcard driver’s licence or smartcard bank card) and issued within the identity framework would be reciprocally accepted for the purposes of POI, and potentially payments. Furthermore, this interoperability framework also meant that compliant smartcard credentials could be used for the purposes of online authentication to both government and financial services.
Standards and a framework of trusted reciprocity would drive this transformational level of interoperability. However, seven years later, the absence of a highly reliable and consistent digital credential and framework of reciprocity has constrained the efficiency of service delivery, and locked out the opportunities for policy and service delivery innovation.
This is a significant market failure.
Notwithstanding the range of identity policies in place, decisions about various aspects of Australia’s identity infrastructure continue to be taken on an agency by agency basis; on a jurisdiction by jurisdiction basis; and on an issue by issue basis. Australia’s identity infrastructure is a fragmented infrastructure suffering from a lack of design, a lack of investment and reform by a range of credential issuing authorities, and a lack of widespread utilisation of the underpinning verification services.
Australia’s identity infrastructure needs to be recognised and operated as a critical national economic infrastructure. New digital era governance and architecture is urgently required to stop this fragmentation, and to unlock the economic and social potential in the digital decades ahead.
About the Author
Marie Johnson is the Managing Director and Chief Digital Officer of the Centre for Digital Business. An experienced CIO and CTA, Marie has delivered significant technology, innovation and digital services transformation programs across taxation, business, social services, payments and immigration operations in the Australian Government. Marie was the Chief Technology Architect of the Australian Government Health and Human Services Access Card program. At Microsoft, Marie was the Worldwide Executive Director of Public Services and eGovernment based in Redmond USA. In this role, Marie was the joint author with Dr Jerry Fishenden of the Microsoft Strategy “The New World of Government Work”. In 2006-2007, Marie was named “Innovative CIO of the Year – Australia”. In 2013, Marie was named one of Australia’s “100 Women of Influence”. Marie is a Board Director of the Australian Information Industry Association (AIIA), a member of the NSW Government ICT Advisory Panel, which advice on transformation and ICT strategic directions for the NSW Government, and a member of the NSW Digital Government Taskforce. Marie has an MBA (Melbourne Business School); Bachelor of Arts; Harvard University John F Kennedy School of Government Senior Executive Fellows Program; and a Graduate of Australian Institute of Company Directors. Marie is a contributor to CIO Online (Australia) www.cio.com.au and to The Mandarin www.themandarin.com.au.
Notes· Marie is currently writing a book on the Access Card program in Australia.