With digital ID top of mind, have government biometrics finally beaten fraud?

Powered By

NSW leads Australia with its imminent digital ID program, but the federal government would like to think it’s closing in fast. It’s set to collaborate with NSW on a national digital ID program designed to be portable, safe and secure.

However, the real question is whether digital ID, built on the use of biometrics, has finally beaten fraud. If not, what needs to happen for fraud to become a thing of the past?

Australian governments, both state and federal, are big users of biometrics for authenticating identity.

Many Australians would be familiar with the “In Australia, my voice identifies me” voice biometric script used to access MyGov services, and just as many would have used a SmartGate when going through immigration.

“How much these biometrics actually combat fraud is an open question,” says associate professor Vanessa Teague from ANU’s Research School of Computer Sciences.

According to Teague, one of the real problems with these technologies is their closed nature.

Even though they’re publicly owned, they’re not open source and so they’re hard for anyone to rigorously examine. Security claims are made, but there’s no genuine independent analysis of how hard those biometrics are to evade.

“For example,” she explains, “would Services Australia be vulnerable to an audio playback attack or would MyGov be vulnerable to someone else’s photo? The vendors claim they are secure, but there really isn’t any public testing.”

For Teague, the question of security is a major issue, but there are also other problems with government use of biometrics, including race and gender bias, as well as the privacy aspects associated with government use of biometrics.

“For example, being required to show a picture of yourself to log in – there may be very limited guarantees about the appropriate use and proper deletion of that image, which may not present the person in the best light,” she says.  “A (commercial) US voting application was found to be sending the photos to a third party for driver’s licence verification.”

Is biometrics the real question anyway?

According to David Chadwick, a former acting assistant secretary for digital business at Home Affairs, and currently global director for identity and biometrics with Unisys, biometrics isn’t really the question that needs to be asked.

“Biometrics is cool, it’s sexy, but it’s an enabler,” he says. “It’s a risk mitigation strategy. What we’re really talking about is identity.

“What it comes down to is identity versus credential, because it’s the same whether it’s digital or analogue.”

This is where NSW is far ahead of the other states, and the federal government. Its proposed digital identity scheme creates a credential, held on the taxpayer’s phone, used to establish their bona fides without the need to exchange massive amounts of personal data.

For example, an 18-year-old wanting to go into a nightclub, or buy alcohol, would present their phone. The business scans a QR code that simply presents a credential – yes, this person is over the age – without the person needing to give the organisation their name, address, and other personally identifiable information (PII).

By moving to a credential-based system, privacy is boosted, and steps are taken away from the need for businesses to hoard massive amounts of PII, which creates a honeypot for hackers and other cybercriminals.

If the Medibank and Optus hacks showed anything, it’s businesses are holding onto PII when there is simply no good reason to do so. A credential-based system obviates the need for companies to ask for unnecessary data, reducing cyber threats and making everyone more secure.

Four credential levels

“Identity management can be defined as ‘who are you and how much do I care?’” says Unisys’ Chadwick.

He paints the example of going into a coffee shop and ordering a takeaway flat white. As a customer, you can give any name you want, and if you remember the name, you’ve provided when the order is called, everything is fine. The café doesn’t care who you are, so long as the order goes to the right person.

MyGov lives at level two, and the security is too low for high-risk transactions because it only checks the documents you present. They don’t prove who you are, but there’s a pretty good chance. However, as ANU’s Teague notes, we don’t know how vulnerable the biometrics used on MyGov are to attack.

The goal, says Chadwick, is to move MyGov to level three, which is the system banks use for establishing an account. Here, a photo is compared to the person standing at the counter, along with other identifying documents. The problem is, as he says, humans are bad at comparing faces. “For the average person, comparing a document to the human standing in front of them is no better than a coin toss.”

The gold standard is level of assurance four, which is how passports are issued. With a passport application, an ISO-standard photo is compared to a database using machine learning. It does a one-to-one match, and any close matches are reviewed.

“There’s a lot of talk about computers and biometrics making mistakes, but it’s an almost insignificant number of mistakes compared to humans,” Chadwick says.

Have Australian governments beaten fraud using biometrics? The broad answer is no. Passports are the gold standard, but systems like MyGov still have a long way to go before they meet best-practice. NSW is getting close, while other jurisdictions lag far behind.