AUSTRALIA CARD MARK II: no national digital ID number will mean no access to any Australian federal government services

“When signing up to the platform for the first time, users will be asked to provide their name, email address, and phone number, and verify their details via email or SMS. They will then be asked to provide information from three identity documents, which goes through the exchange to the identity provider for verification. The exchange receives encrypted details back which it passes on to the government service the user wants to reach, which then grants the user access.”  [IT News, 20 March 2015]

IT News, 8 February 2018:

The Department of Human Services looks set to become the federal government's exclusive manager of digital identities after being selected to build the identity provider solution that will be used for the Govpass platform.

The Govpass framework is a decentralised identity model that allows individuals to choose their identity provider - an organisation that issues identity documents, like Australia Post or the ATO - and access a range of public and private sector services through a single digital identity credential.

There is no limit on the number of identity providers outside of the Commonwealth that can be accredited for Govpass; Australia Post has already indicated it will seek to become the first non-government identity provider, using its Digital iD platform.

Several state and territory government agencies and private sector entities are also expected to become identity providers over time.

However, the federal government last year made the decision that only one identity provider would operate for the entire Commonwealth.

The Digital Transformation Agency revealed the decision following meetings with existing Commonwealth identity service providers, DHS and the ATO. Its rationale for the move was to focus security efforts in one place and avoid complex administrative structures.

iTnews revealed in October that the DTA was yet to make up its mind up on which of the two agencies would serve as the federal government’s sole identity provider for GovPass, even as testing of the new platform was taking place with the ATO’s new online tax file number application service.

Instead the DTA said it was working closely with the ATO and DHS on the “next steps” for the platform.

But in response to questions on notice from recent estimates hearings, DHS revealed it had been instructed to develop the federal government’s single identity provider platform, to be known as myGov IdP.

“The department was commissioned by the DTA to build the identity provider (IdP) for the whole-of-government,” it said.

“The myGov IdP will enable citizens to verify their identity online and use it to apply for government services.”

iTnews has made several attempts to clarify the statements with the DTA and DHS, but both refused to comment on the build and DHS’ apparent position as the single government identity provider.

The ATO similarly redirected questions about its involvement with Govpass, including whether it had also been asked by the DTA to build an identity provider solution, to the DTA.

Selecting DHS as the sole government identity provider would be an obvious choice for the DTA - the agency is the government’s current defacto whole-of-gov identity provider through the myGov digital services platform.

A private beta release of myGov IdP is currently planned for later this month.

Identity providers on Govpass will use the DTA-built identity exchange – and in turn the document verification service (DVS) and facial verification service (FVS) – to verify an individual’s credentials without revealing their identity to service providers.

[my yellow bolding]

Note: The Face Identification Service (FIS) is a one-to-many, image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. FIS is also available to police, security services, Dept. of Immigration and Dept. of Foreign Affairs. [Australian Attorney-General's Department, October 2017]

NSW Auditor-General not impressed by government agencies cyber security risk management

“Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.” [NSW Auditor-General, Report on Internal Controls and Governance 2017, December 2017]

On 20 December 2017 the NSW Auditor-General released the Report on Internal Controls and Governance 2017.

The Sydney Morning Herald reported on 28 December 2017:

Two-thirds of NSW government agencies are failing to properly safeguard their data, increasing the risk of improper access to confidential information about members of the public and identity fraud by cyber criminals.

The finding has emerged from an audit of dozens of government agencies, including those holding highly sensitive personal information collected from millions of citizens, such as NSW Health, the department of education, NSW Police Force, Roads and Maritime Services and the justice department.

While the report by auditor-general Margaret Crawford does not name the agencies failing to properly manage privileged access to their systems, it highlights the potential consequences.

"Personal information collected by public sector agencies about members of the public is of high value to cyber criminals, as it can be used to create false identities to commit other crimes," she says in the report.

"Despite these risks, we found that one agency had 37 privileged user accounts, including 33 that were dormant. The agency had no formal process to create, modify or deactivate privileged users."

Overall, Ms Crawford's report found 68 per cent of NSW government agencies "do not adequately manage privileged access to their systems".

In addition, she said, the audit determined that 61 per cent of agencies "do not regularly monitor the account activity of privileged users".

"This places those agencies at greater risk of not detecting compromised systems, data breaches and misuse," the report said.

The audit found 31 per cent of agencies "do not limit or restrict privileged access to appropriate personnel". Of those, just one-third monitor the account activity of privileged users.

It found that almost one-third of agencies breach their own security policies on user access.

The report warns that if agencies fail to implement proper controls "they may also breach NSW laws and policies and the international standards that they reference".

Read the full article here.

List of NSW Government Agencies Examined by NSW Auditor-General

Education

Department of Education

Family and Community Services

Department of Family and Community Services

New South Wales Land and Housing Corporation

Finance, Services and Innovation

Department of Finance, Services and Innovation * Specifically identified in report

Place Management NSW

Property NSW

Service NSW

Health

NSW Health

Industry

Department of Industry

Destination NSW

Forestry Corporation of New South Wales

Office of Sport

TAFE Commission

Water NSW

Justice

Department of Justice

Fire and Rescue NSW

Legal Aid Commission of New South Wales

NSW Police Force

Office of the NSW Rural Fire Service

Planning and Environment

Department of Planning and Environment

Essential Energy

Hunter Water Corporation

Landcom

Office of Environment and Heritage

Office of Local Government

Sydney Water Corporation

Premier and Cabinet

Department of Premier and Cabinet

Transport

NSW Trains

Rail Corporation New South Wales

Roads and Maritime Services

Sydney Trains

Transport for NSW

WCX M4 PTY Limited

WCX M5 PTY Limited

Treasury

Crown Finance Entity

Insurance and Care NSW

Lifetime Care and Support Authority

NSW Treasury Corporation

NSW Self Insurance Corporation

Excerpt from Report on Internal Controls and Governance 2017:

Some deficiencies were common across agencies

The most common internal control deficiencies were poor or absent IT controls related to:

user access management

password management

privileged access management

user acceptance testing.

The most common governance deficiencies related to:

management of cyber security risks

capital project governance

management of shared service arrangements

conflicts-of-interest management

gifts-and-benefits management

risk management maturity

ethical behaviour policies and statements.

Turnbull Government's data retention privacy blunder just rolls on and on...

“If data can be re-identified with no more than SQL, there's no "if" about a leak, and the "when" is history.” [Journalist Richard Chirgwin, Twitter 18 December 2017]

“But why are medical records so attractive? Well, it turns out that there’s a metaphorical holiday feast of enticing data served up in your average health record. Family history, demographic data, insurance information, medications, etc. means there’s enough information to completely steal an individual’s identity and commit medication fraud, financial fraud, insurance fraud and a wide array of other crimes. When this very private, unchangeable information gets into the wrong hands, devastation can ensue.” [Robert Lord writing in Forbes, 15 December 2017]

First the Australian general public were told that patient data was well protected and data breaches wouldn't happen as a result of government's drive to collect, cross-match and retain as much information about each and every Australian citizen/permanent resident as possible.

Then when the inevitable day came where poor data security was laid bare - as the personal histories of 550,000 blood donors were placed on an insecure computer and accessed, as Medicare details began to be offered for sale on the Internet's dark web and Medicare itself became careless with its encryption -  the public was told in the first instance that misuse was unlikely, in the second instance that personal medical information couldn't be accessed and that patients couldn't really be individually identified in the third instance where a billion line encrypted data set was publicly released.

After that the Turnbull Government assured the population that it would create legislation which would make it illegal for anyone to de-encrypt anonymised data and create a Notifiable Data Breaches scheme.

We were all going to be safe once more in the arms of the Turnbull Government.

Now the cat is out of the bag, because that billion-line 30 year's worth of personal health information about est. 3 million people just won't stay in the back of the ministerial cupboard where Greg Hunt shoved it.

 [Fairfax journalist Ben Grubb, Twitter 18 December 2017]

The Sydney Morning Herald, 18 December 2017:

One in ten Australians' private health records have been unwittingly exposed by the Department of Health in an embarrassing blunder that includes potentially exposing if someone is on HIV medication, whether mothers have had terminations, or if mentally unwell people are seeing psychologists.

A report, published on Monday by Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague from the University of Melbourne's School of Computing and Information Systems, outlines how de-identified historical health data from the Australian Medicare Benefits Scheme (MBS) and the Pharmaceutical Benefits Scheme (PBS) released to the public in August 2016 can be re-identified using known information about the person to find their record.

The study reveals unique patient records matching the online public information of seven prominent Australians, including three (former or current) MPs and an AFL footballer. While a unique match may not always be accurate, Dr Rubinstein said there was the possibility to improve confidence by cross-referencing other data.

"Because only 10 per cent of Australians are included in the sample data, there can be a coincidental resemblance to someone who isn't included," he said.

"We can improve confidence by cross-referencing with a second dataset of population-wide billing frequencies. We can also examine uniqueness according to the characteristics of commercial datasets we know of, such as bank billing data."…….

Privacy analyst and Lockstep consultant Stephen Wilson said the breach damaged public confidence in health policy makers and data custodians.

"It's a huge breach of trust," he said.

"Promises of 'de-identification' and 'anonymisation' made by health officials, and ABS too in connection with census data releases, have been shown to be erroneous.

"The ability to re-identify patients from this sort of public release is frankly, in my view, catastrophic. Real dangers are posed to patients with socially difficult conditions.

"It beggars belief that any official would promise 'anonymity' any more. These promises cannot be kept."

Computer security researcher Troy Hunt said re-identification of anonymised records was attractive to researchers and nefarious parties alike.

"In this case, clearly more work needs to be done to protect individuals' identities,' he said. "My hope is that the government embraces responsible research like this and strives to improve confidentiality rather than penalise those seeking to report deficiencies such as this."

The federal Department of Health was notified about the issue December last year.

"The Department of Health takes this matter very seriously and had already referred this to the Privacy Commissioner," a Department of Health spokesperson told Fairfax Media......

Meanwhile, the Office of the Australian Information Commissioner, which houses Australia's privacy commissioner, said it was investigating the publication of the datasets.

"The investigation was opened under section 40(2) of the Australian Privacy Act 1988 (Privacy Act) in late September 2016 when the Department of Health notified the OAIC that the datasets were potentially vulnerable to re-identification," a spokesperson said.

"Given the investigation into the Medicare Benefits Scheme (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets is ongoing, we are unable to comment on it further at this time.

However, the commissioner will make a public statement at the conclusion of the investigation."

The OAIC said it continued to work with Australian government agencies to enhance privacy protection in published datasets.....

Australians to own their own banking, energy, phone and internet data? How wonderful! Except.....

Read the news coming out of Canberra…..

Assistant Minister for Cities and Digital Transformation and Liberal MP for Hume Angus Taylor, media release, 26 November 2017:

Australians to own their own banking, energy, phone and internet data

The Turnbull Government will legislate a national Consumer Data Right, allowing customers open access to their banking, energy, phone and internet transactions.

Australians will be able to compare offers, get access to cheaper products and plans to help them ‘make the switch’ and get greater value for money.

Assistant Minister for Cities and Digital Transformation Angus Taylor said it was the biggest reform to consumer law in a generation.

“Government is pursuing the very simple idea that the customer should own their own data. It is a powerful idea and a very important one,” Assistant Minister Taylor said.

“Australians have been missing out because it’s too hard to switch to something better. You may be able to access your recent banking transactions, or compare this quarter’s energy bill to the last, but it sure isn’t quick or easy to work out if you can get a better deal elsewhere.”

The Consumer Data Right was one of 41 recommendations from the Productivity Commission’s Data Availability and Use Inquiry, tabled in parliament in May this year.

The Government’s formal response to the inquiry will be published in coming weeks.

“It won’t be far down the track when you can simply tap your smartphone to switch from one bank to another, to a cheaper internet plan, or between energy companies.

Government is lifting the lid on competition in consumer services and technology is the enabler,” Assistant Minister Taylor said.

Following on from the Prime Minister’s recent agreement with electricity retailers, and the Treasurer’s open banking initiative, the Consumer Data Right will be established sector-by-sector, beginning in the banking, energy and telecommunications sectors.

Utilities will be required to provide standard, comparable, easy-to-read digital information, that third parties can readily access. New Commonwealth legislation to give effect to these reforms will be brought forward in 2018. [my yellow highlighting]

Take a minute to feel good about this.

Then realise that not all the publicly or privately held digital data retained about you will actually be ‘owned’ by you.

If anything it appears that individuals will have a limited joint right to certain data and what access to data they have will probably attract a fee to view and/or download.

It is also likely that data held about you by the banking, energy, phone and internet sectors will be transferred to third parties even when you prefer this didn't happen. It may become a condition of changing service providers as it will likely give the new provider a wealth of information about you and your credit rating.

It is also highly likely that the new legislation will allow third parties to access, disclose and trade in data sets and/or consumer data - without consumers necessarily being made aware this is occurring.

Eventually the Turnbull Government's consumer data rights along with those third party rights will apply to all sectors, including the insurance industry.

If you are interested in some background reading start with the Australian Productivity Commission’s March 2017 report here.

Political Tweets of the Week

Hey @bobjcarr Welcome to Stasi Australia (metadata, no-charge detention, facial recognition CCTV). You still opposed to a Bill of Rights?

— Quentin Dempster (@QuentinDempster) October 8, 2017

Yesterday over 16,000 people turned out around Aus with a simple message: #StopAdani! Australia, you are awe-inspiring and can do anything! pic.twitter.com/HDaTodY74c

— Stop Adani (@stopadani) October 8, 2017

National ID Database: so you think if you do nothing wrong you'll have nothing to fear?

“There is also a tendency for technologies to converge, allowing for the creation of devices with increased surveillance capabilities. CCTV, for example, may be combined with facial recognition technology….to identify individuals from their images. Another example is modern mobile phones, which combine telephonic services with GPS tracking software, digital visual and sound recording capabilities, and connection to the internet. A consequence of the convergence of surveillance technologies is the greater ability of surveillance users to compile detailed pictures of members of the public, making it increasingly difficult for individuals to maintain their privacy and anonymity.” [Victorian Law Reform Commission – Surveillance in Public Places: Final Report 18, 2010]

This month the Turnbull Government, state and territory governments have agreed to add the photo IDs of all registered drivers to the Facial Biometric Matching Capability (FBMC) database (est. 16 November 2016) which already has access to passport photographs, visa application photos, airport surveillance images and arrest ID images from the criminal justice system.

Additional images will probably be harvested from social media and added to this database which is to be used with CCTV footage of the general population going about their daily lives when considered necessary by police and security services. The biometric 'map' of an individual's face created by FBMC being easily applied to searches of video footage from public venue, shopping centre, street and road cameras as CCTV technology is now capable of recognising faces of people, vehicles, animals and bags automatically.

FBMC will involve using a Face Verification Service , Face Identification Service, One Person One Licence Service and Facial Recognition Analysis Utility Service in identity matching, along with a the Document Verification Service, Identity Data Sharing Service and/or any other government identity matching or data sharing service and, of course one of the areas it will be used is in so-called crime prevention.

Use of this facial recognition database will also be available to authorised private sector agencies and, like many new tools it is likely there will be function creep so that photo IDs will be required by more government agencies and private businesses when interacting with individuals in the future.

The Facial Biometric Matching Capability database will function alongside the Biometric Identification Services (BIS) which features national identification capability using fingerprints, palm prints, foot prints and facial recognition, person identity and evidence image case management, image enhancement tools and record auditing, matching services of one to one, one to few, one to many, and many to many, as well as photobook, photo line-up and witness viewing services.

But what’s the worry? After all if you are an ordinary person not committing a crime you have nothing to fear. Right?

Well there is this on the horizon…………..

Monash University, Research Spotlight: Crime, Risk and Security:

Criminologists at Monash undertake cutting edge research in the areas of risk and security that is theoretically sophisticated, innovative and highly relevant to areas of pressing national and international concern. The discipline hosts two recipients of the Australian government’s prestigious Future Fellowship Award, Professor Sharon Pickering and Associate Professor Weber, both undertaking programs of research on border policing. Their jointly authored book Globalization and Borders: Death at the Global Frontier was awarded Australia’s most significant criminology publication award in 2013. The Border Crossing Observatory is the online repository of all border-related research undertaken by Monash Criminology and our national and international partners. Criminologists at Monash have received multiple highly competitive Australian Research Council grants to investigate a host of risk and security related topics, amongst them, counter terrorism laws and policing, immigration and exploitive labour practices, deportation, regional security, and the gendered nature of border crossing and transnational law enforcement. Our risk and security research expertise includes the interrelated topics of borders, counter terrorism, state crime, transnational crime, irregular migration, human trafficking, risk and disability, and pre-crime. [my yellow bolding]

What is “pre-crime”?

Put simply, “pre-crime” activity is a crime not yet committed – it is the suspicion that an individual might be capable of breaking an unidentified law at some unspecified time in the future.

Such suspicion does not mean there is a need to charge, prosecute or convict for a specific crime. Intervention at “pre-crime” stage is supposedly risk containment.

You don’t have to be researching bomb-building or Googling how to buy a weapon online to commit a “pre-crime” activity - it can be your thoughts and political opinions spoken aloud or written down, as well as your actions at a public meeting or protest rally.

It can even be allegedly ‘guilty knowledge’ in that you knew the time and place a small environmental activist group was going to confront their local MP or you saw a person painting an anti-government picket sign ahead of a planned street march.

Going to the media – social or mainstream – with a genuine complaint against a government department might be considered a “pre-crime” if you visibly persist in seeking answers, redress or apology. You could easily be labelled "fixated" by police if a government minister takes offence and decides to complain.

If you make a small donation to a group the police or government consider problematic, troublesome or obstructive of the aims of government or big business you may at some time in the future be considered politically partisan and displaying “pre-crime” tendencies.

These are just some of the groups that are already complained about by big business and politicians: Environment Victoria, Wilderness Society (Australia, Victoria & Queensland), Friends of the Earth, Victorian National Parks Association, Australian Conservation Foundation, Lock the Gate Alliance, 350.org Australia, the Nature Conservation Council of NSW, the Australian Youth Climate Coalition, the Australian Marine Conservation Society, Australian Marine Conservation Society, Friends of the Earth Australia, Politics in the Pub and GetUp! as well as Greenpeace and Sea Shepherd.

Just belonging to a group or community association which speaks up on matters of social, economic, environmental or political concern could see you being eyed off as part of a potential conspiracy in the making.

In at least one Western country pre-crime can also manifest itself as a suspicion that you have come into a city centre with the intention of having a drink or two and you will be given a 48 hour direction-to-leave order.

With the notion of “pre-crime” there is no presumption of innocence and little more than lip service to due process if any arm of state or federal government decides you are a person of interest.

So how will pre-crime activity be monitored by police and security services? Well one of the methods used will be surveillance and this surveillance may involve use of the Facial Biometric Matching Capability database created by the Turnbull Government.

Surely this couldn’t possibly happen in Australia? you say. Think again. 

We already keep individuals in gaol long after their court-imposed sentence has been fully completed under continuing detention legislation, have preventative detention without charge and control orders which can be applied to both minors and adults, police are known to use spyware to enter, monitor and control home computers and, in certain circumstances your home can be entered and searched without your knowledge by police and security services.

And here in Australia we have a history of unwarranted surveillance based on an individual's political association (1950s Cold War era) and political dissent (1960s & early 1970s Viet Nam War era) as well as virtually unchallenged unlawful use of coercive powers (Border Force 2014 to 2017).

Police and security agencies are constantly pushing for more legislation which would allow amongst other matters the creation of a raft of pre-emptive, punitive measures based solely on suspicion and an individual’s “pre-crime” tendencies.

Right now in Australia governments are all about political and physical control of the population - they are not about human rights, 'civil liberties' or a free, open and democratic society.

As a society Australia has been sliding down that slippery slope towards an authoritarian destination for years now and in 2017 we appear to have reached the bottom of the slope.

COAG, INTERGOVERNMENTAL AGREEMENT ON IDENTITY MATCHING SERVICES, 5 October 2017.

Barrister @BarnsGreg says the public shouldn't accept claims by politicians that #terrorlaws take precedent over #civilliberties | #COAG pic.twitter.com/rUXFY5Vn3b

— ABC News (@abcnews) October 5, 2017

“For years, there’s been ample evidence that authoritarian governments around the world are relying on technology produced by American, Canadian, and European companies to facilitate human rights abuses.  From software that enables the filtering and blocking of online content to tools that help governments spy on their citizens, many such companies are actively serving autocratic governments as "repression’s little helper."

The reach of these technologies is astonishingly broad: governments can listen in on cell phone calls, use voice recognition to scan mobile networks, read emails and text messages, censor web pages, track a citizen’s every movement using GPS, and can even change email contents while en route to a recipient. Some tools are installed using the same type of malicious malware and spyware used by online criminals to steal credit card and banking information. They can secretly turn on webcams built into personal laptops and microphones in cell phones not being used. And all of this information is filtered and organized on such a massive scale that it can be used to spy on every person in an entire country.” [Electronic Frontiers Foundation, accessed 7 October 2017]

“Australia’s leading privacy and civil liberties organisations condemn the decision by the Council of Australian Governments (COAG) to provide all images from state and territory driver’s licence databases to the federal National Facial Biometric Matching Capability.

These organisations are the Australian Privacy Foundation, Digital Rights Watch, Queensland Council for Civil Liberties, NSW Council for Civil Liberties, Liberty Victoria, South Australian Council for Civil Liberties and Electronic Frontiers Australia.

The creation of such a comprehensive national facial database is an unnecessary and disproportionate invasion of the privacy rights of all Australians, is the foundation for suspicionless, warrantless mass surveillance and is fundamentally incompatible with a free and open society.

David Vaile, Chair of the Australian Privacy Foundation said, “This government has proven it is blind and deaf to privacy and personal information security threats. Make no mistake – this database will affect all Australians, even the most conscientious and law-abiding. It will likely generate massive ‘false positive’ lists that will flood our very effective police and security services with useless distractions. We’ve already seen calls for ‘scope creep’ to cover welfare enforcement, and there’s every reason to expect this capability will come to be used to identify people with unpaid fines and other minor issues that have nothing whatsoever to do with terrorism.” [Electronic Frontiers Australia, 6 October 2017]

“Every single portion of human rights activism overlaps, manifests or is exercised with the use of technology. That alone caused attackers and adversaries to recognize that technology itself is a good vehicle to get to these people and interfere with them or cause them harm.” [Claudio Guarnieri of Amnesty International quoted in Threat Post at Kapersky Lab, 4 October 2017]