Digital Incompetence

The Identity Verification Services Bill 2023 (the Digital ID Bill) was passed by the Senate this month. 

According to the government the Digital ID System will address the need for a “secure, voluntary, and inclusive method” to verify Australians online, because “recent cyber incidents” have proven the need for identification to be “reliable”. Somehow, this is all said without the slightest hint of irony. 

Just last year the story emerged that the government’s flagship Digital Identification system, ‘myGov’, had been ‘hacked’ to the tune of over half a billion dollars. Fraudsters claimed $557 million from the Australian Tax Office (ATO) by creating false myGov accounts and linking them to the tax files of 8100 genuine taxpayers. They replaced the bank details of real people and businesses with their own.

This ‘recent cyber incident’ did indeed prove the need for identification to be secure and reliable. It also proved that government is not the organisation to make it so. 

But this example of the government’s profound lack of competence with information technology is not isolated or rare. The government’s track record of implementing reliable and secure digital infrastructure projects could only be described as appalling. 

How can the government claim that its digital identification system will be voluntary and inclusive when it has been knowingly acting unlawfully with identification for years?

Who can forget when Queensland Health tried to implement a new payroll system? They blew their budget by 20,000%, costing Queensland taxpayers an astonishing $1.2 billion and requiring 1,000 new staff to manually manage the payroll. The independent inquiry described the debacle as “the worst failure in public administration in Australian history”.

Then there was the disastrous Robo debt scheme. The Australian government tried to build a system to detect welfare fraud and overpayments. 443,000 Australians were abused and wrongly accused of fraud or Centrelink debts. Some were so distressed by the abuse they took their own lives. There was a class action lawsuit resulting in a $1.8billion pay-out from the government. The debacle led to a Royal Commission which described Robo debt as a “human tragedy”. 

Then there is the $1.5 billion My Health Record project. The former head of the project, Paul Shelter, famously said he would opt-out of the My Health Record system that he himself was responsible for building because of the poor security model. He disliked that your private and personal data can be accessed for reasons of public revenue. He said that the poor security, along with the way people were being signed up (without their express consent) was “symptomatic of the way government handles IT”. The National Audit Office confirmed recently that My Health Record still fails to appropriately manage cybersecurity risks. 

With a resume of disasters like these, how can we be expected to trust the government to build a secure and reliable digital identification system? The centrepiece of the system – myGov – has already been hacked successfully.

But the demonstrable lack of trustworthiness of the government with regard to digital identification extends beyond incompetence. The Government has for years been unlawfully using identity verification services without any legislative basis in breach of their own privacy laws. A Senate inquiry heard that the Document Verification Service has been used over 140 million times by approximately 2,700 government agencies and industry organisations. That was just in the past year alone. 

443,000 Australians were abused and wrongly accused of fraud or Centrelink debts.

In addition, the Face Verification Service was used 2.6 million times. Senator Shoebridge stated that “The conclusion that pretty much every stakeholder has drawn is that the current identity verification services procedure is unlawful and, in the absence of any statutory underpinning, is open to legal challenge”.

He warned that the government was facing “potentially significant civil damages” that could be “aggravated by the fact that they continue to operate a service knowing full well that it is unlawful, and in breach of the privacy laws”. 

The newly passed legislation is clearly a case of the Government giving itself legal permission to do what it has been doing unlawfully. Digital Rights Watch told Senators that the government was now retrofitting a legislative foundation to an existing set of practices and rushing the Bill through to protect itself from liability. The Law Council of Australia also criticised the use of these services without any laws underpinning it.

How can the government claim that its digital identification system will be voluntary and inclusive when it has been knowingly acting unlawfully with identification for years? The long history of catastrophically botched digital infrastructure projects prove that we absolutely cannot trust in the government’s competence. But its equally appalling record of disregarding privacy and identity – to the point of ignoring its own laws – prove that it cannot be trusted with our privacy or personal information at all.

Thank you for your support. To help us in our battle to protect liberty and freedom please click here

Jaimie Stevenson

Jaimie Stevenson JD (Monash) is a legal consultant for Australian-based SMEs, specialising in technology, data, privacy and IP law. She is passionate about the rule of law, as opposed to arbitrary rules, and minimal government encroachment on the inherent rights of the
individual including freedom, autonomy and dignity.