Blog

Australia’s Digital ID Gamble: Are We Ready for the Risks?

Paul Warren-Tape

This week, Minister Bill Shorten announced what’s being touted as a groundbreaking expansion of Australia’s Digital ID Trust Exchange (TEx). With $11.4 million on the table, the government is betting big on a system that promises to revolutionise digital credentialing, allowing Australians to store and share their identities through any digital wallet. 

Sounds like a win, right? Digging a bit deeper, however, reveals that this might be more of a high-stakes gamble than a sure thing.

Kicking the tires

Shorten is painting the TEx as a privacy-forward solution, where users can share just enough personal information to get verified without handing over the keys to the kingdom. It’s an appealing pitch, especially in an era where data breaches are as common as rainy days in Melbourne. 

But before we get too excited, let’s remember that the devil is in the details—and so far, those details are murky at best.

Here’s the reality check: while Shorten is busy selling the TEx as the digital equivalent of a Ferrari, the truth is, we’re still cruising around in something closer to a prototype. And let’s not forget, this shiny new system is set to be trialled next year—so Australians are essentially being asked to be the guinea pigs in an untested digital experiment. That should raise some eyebrows, especially given myGov’s less-than-stellar track record.

Tarnished credibility 

Take a quick Google search of “myGov and fraud,” and you’ll find headlines that should make anyone think twice. Remember the $500 million ATO fraud debacle which came to light in July 2023? It exposed glaring flaws in the myGov ID system, which doesn’t exactly inspire confidence in the government’s ability to secure our digital identities. If the TEx is going to succeed, it has to overcome this credibility gap—because right now, trust is hanging by a thread.

Then there’s the issue of the Digital ID Act 2024, which is supposed to lay the groundwork for this brave new world of digital identities. The government has been all ears, seeking feedback from the private sector and stakeholders like IDVerse, which was the first private entity to be accredited under the previous Trusted Digital Identity Framework. But here’s where it gets real: IDVerse has raised serious concerns, and for good reason.

You only get one shot (to quote Eminem)

The problem no one’s talking about? The initial registration process for obtaining a digital identity. If fraudsters manage to slip through the cracks during this phase, they’ll be handed a golden ticket to commit fraud anywhere that accepts the new digital ID. The stakes couldn’t be higher, which is why IDVerse is pushing for a more rigorous, multi-layered identity proofing process—one that goes beyond the half-measures currently in play.

Below are just two examples, both available in less than 60 seconds and less than $10 (paid for in crypto, of course, to make tracking more difficult):

A synthetic (i.e. fake) Australian passport created using generative AI.

A synthetic NSW driver license created using generative AI.

There are now hundreds (if not thousands) of these sites online that offer similar kinds of services, and they offer a range of real documents where new personal data is then overlaid using generative AI (GenAI) models. Just last week, an article stated a free face swap tool has gone to number one on GitHub.

IDVerse is currently tracking over 110 different sites as part of our continuous monitoring of the fraud trends/threats. We first discussed this type of GenAI-assisted document fraud in February of this year in a piece concerning the website OnlyFake.

Time to nail it

Australia must get this right from the start. If we don’t, we risk creating a digital Wild West where the very tools designed to protect us become the instruments of our exploitation. The government’s framework, while a step in the right direction, needs to be tightened, especially when it comes to validating identity documents

This should be non-negotiable, no matter how hard it is from designing the framework. There are already industry-accepted better practices to lean on, like the FIDO Alliance’s Document Authenticity (DocAuth) Certification Program for Remote Identity Verification.

Right now, the system is far too vulnerable to document fraud—something IDVerse encounters all too often. The current checks are simply not enough; they need to be bulletproof.

Who can be trusted?

Let’s not kid ourselves—myGov won’t be the only game in town. Australians will eventually have a choice of identity providers, each carrying a ‘Trustmark’ to signal compliance with the Digital ID Act. But how will the average person know which provider to trust? The truth is, without a rock-solid accreditation process, that Trustmark is little more than a fancy sticker.

So is this really a step forward? On paper, sure. But in reality, we’re walking a tightrope. The concept of digital identity is powerful and necessary, but the execution is where we could see everything go off the rails. Before we start patting ourselves on the back, we need to confront the very real risks that come with digitising our identities.

Image animated using Luma.

Proceed with caution

In the end, this isn’t just about convenience or modernising government services. It’s about trust, security, and protecting the very essence of who we are in an increasingly digital world. 

And until the government can prove it’s ready to meet those challenges head-on, we’d be wise to approach this digital identity revolution with caution—because when it comes to our identities, the stakes couldn’t be higher.

About the post:
Images and videos are generative AI-created. 
Prompt: Suspicious man in fedora and trenchcoat, standing in shadowy alley, holding his coat wide open to reveal an inner lining filled with colorful passports for sale. Film noir style, dramatic lighting, high contrast, hyper-realistic. Tools: Midjourney, Luma.

About the author:
Paul Warren-Tape is IDVerse’s GM for Global Risk and Compliance. Paul has 23+ years of global experience in cyber, financial crime, operational risk, privacy, and compliance, spending the 10 years in pivotal roles within the Australian financial services industry. Paul is passionate about helping organisations solve complex problems and drive innovation through encouraging new ideas and approaches, whilst meeting their legislative requirements.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security