In Australia, the Senate is inquiring about a new bill named the Digital ID Bill 2023.
To cut a long story short, this bill is controversial.
On one side, the government asserted that this bill will
… put in place the legislative framework to create an economy-wide Digital ID system in Australia.
Digital ID is a secure, convenient and voluntary way to verify who you are online against existing government-held identity documents without having to hand over any physical information. Digital ID is not a card, it's not a unique number, nor a new form of ID.
Data breaches, such as Optus and Medibank, impacting millions of Australians shows the need to protect people and their identities. This Bill will help to address this challenge. The Digital IDs enabled by this Bill will avoid the need for Australians to repeatedly share their ID documents, and reduce the need for government or business to retain documents that could then be at risk.
On the other side, the fear is that
Picture this: your most private information, used and abused, not just by the government, but by corporations too. Add to that the potential for your every move to be monitored and controlled. Scary, isn't it?
The Albanese Labor Government has just lobbed a dystopian grenade in our laps – the Digital ID Bill 2023. And nobody asked for it.
So, who’s right? Should you oppose or support it? Is it good or evil?
I think it is good for cybersecurity. But in terms of privacy, you gain some and lose some. Whether to support or oppose it depends on your values. This article will help you make up your mind.
Current Situation
Today, many organisations and businesses are legally obligated to verify your identity, both online and in person.
For example, to sign up for a mobile phone account, telecommunication companies need to verify who you are. In the process, of doing that, they end up storing your identity documents (e.g. passport, driver’s license) in their system.
Then hackers break into their systems, steal your identity documents and use them to commit identity theft at your expense. Optus, Medibank and Lattitude Financial are prime examples of big businesses that got hacked and created serious risks for literally millions of people.
Let’s assume that organisations and businesses are always going to get hacked, resulting in identity documents being stolen, and putting lots of people at risk of identity theft.
So, what is the technological solution to mitigate this risk going forward?
OAuth
Such a solution already exists. It is called OAuth. Most people already use this solution without realising it.
For example, look at the sign-in page of Canva:
You can sign in with an email and password. But as we know, websites are getting hacked all the time and passwords are stolen by hackers. Besides, people are sick and tired of coming up with yet another password.
So, the alternative is to log into your Canva account through your Apple, Google, Microsoft or Facebook account.
This is OAuth technology.
This is how it works in non-technical language:
When you sign in through your Google account, Canva redirects you to Google’s sign-in page.
You authenticate yourself to Google (with passwords, MFA, security key, or whatever).
Google will then inform or ask you which personal information (e.g. email, phone number) you stored at Google to be passed on to Canva.
Google will then inform Canva that you have authenticated yourself to them and pass on your personal information (that you permitted in the previous step) to Canva.
Based on this information from Google, Canva signs you in (or creates an account).
So, using OAuth is more secure and convenient, right? Then, what else is the problem?