Why a single online ID would be dangerous

29 January 2015

From an ethical and practical standpoint, such a program is quite worrying.

Imagine you had a single digital identity, an online ID that you could use for any government service. Whether you needed to communicate with departments that handled tax, welfare, or healthcare and education, all you'd need is a single online ID.

It would bring together information about you from all participating departments, meaning less paperwork for government officials and greater information at their fingertips. Not only that, it would take all the hassle out of dealing with government services for you, yes?

Communications minister Malcolm Turnbull has been given the job of creating a new Digital Transformation Office. In part this will oversee the development and introduction of a single digital identity to access an integrated range of government services. But before we rush into this, let's consider for a moment that this way lies danger.

 An online ID substantially reduces individual privacy; it gives increased power to government departments over people; it is a lure for future privatisation; is a massive cybersecurity risk; and if past experience is anything to go by, it will be dramatically more expensive than expected – and is likely to be a failure. From an ethical and practical standpoint, such a program is quite worrying. 

On privacy, the concern is that by unifying our official information under one single online ID, we expose a great deal more about ourselves to those with access. By design, the range of people who will have access to our information is dramatically increased. The single online ID means that any government department can potentially access any official information about you – getting a parking ticket could potentially reveal your passport number, the names of all family members and criminal records. Of course, in the ideal system, only those with the right clearance willbe able access such personal information, but an ideal system requires greater oversight and willbe more costly and cumbersome.

In terms of power, it means there is a higher potential for the unpaid parking ticket to prevent you from accessing other government services. Such a unified ID not only increases what can be known about you, but  also gives departments much greater power over which services you can access and when. Governments of both stripes are enamoured with the idea of price signals as a way to bring down costs in healthcare and education. It is not a long jump from "price signals" to service restriction as an "incentive" to pay fines. But unlike standard market goods, many government services are vital to guarantee a minimum quality of life, which must not be underestimated.

In this year's Queensland election, the LNP government is advocating a strong agenda of privatisation. Similarly, both sides of government are desperate to restore the budget to surplus. Massive databases of personal information are a potential gold mine for private industry. The concern here is that our personal information, collected and secured with Australian tax dollars, becomes a potential asset to be commercialised and sold off like Telstra, Medibank and energy companies. The UK's 2012 Open Data White Paper saw the personal information of UK citizens, albeit anonymised, as "the raw material for innovative new business ventures." Big data is big business and our personal information would be a treasure chest for a vast range of companies.

Not only is such data attractive to businesses, but an online ID that unifies personal information presents a veritable gold mine for criminals. Pulling all government information about you under one banner would make identity theft much easier. Add to this the increasingly personal nature of this information and we have increased potential for cyber-blackmail. As the information becomes more personal, malicious hackers are more likely to find things about you that you want to remain secret, and to blackmail you with this information. There is also the rising problem of "ransomware": hackers break into the government database, encrypt that information and refuse to un-encrypt it until vast amounts of money are paid.

Linking the unique identifier to a range of essential services makes the government and the community increasingly vulnerable to such attacks. Let us not forget that no system can be 100 per cent secure: hackers, malicious insiders, poor security design and human error all increase the chance that such a system will be breached.

Finally, looking at what has happened in Australia and abroad with "e-government" programs, similar efforts have been spectacular failures. The Australian government's struggling "e-Health" program was subject to a review in 2013, adding an extra $140 million to the $1 billion already spent on the project. Similarly in the UK, the cost of moving to electronic health records cost in excess of £2.7 billion, and was ultimately cancelled. Amid the hype around such online IDs, promises of increased efficiency and decreased costs have to be viewed with a heavy dose of scepticism.

Finally, given the range of concerns about the introduction of the universal identifiers, we must also remind ourselves that avoiding these sorts of services will cost each of us a little more time and hassle. We'll have to keep doing annoying paperwork that may need replication across a number of different government services. But a small loss of time on our part is surely a fair trade to retain our privacy, power, to reduce corporate influence on our lives and to increase basic cybersecurity while saving us all money.

This article was first published in The Age.

Dr Adam Henschke is a research fellow at the Australian National University's National Security College. He is co-editing a forthcoming book on the ethics of cyberwarfare.