Can digital IDs keep your personal identity private?

We are, unfortunately, in the middle of a wave of cybercrime and there is no indication it will subside. Our increasingly digital lives bring enormous benefits but are also vulnerable to a daunting variety of scams and thefts.

Click image to zoom Tap image to zoom

One particular challenge is our personal identity. In the past, we established who we said we were with physical documents in an analogue world. That might be passports, licences, government identification numbers, specific documents or a combination of several of these.

“Creating secure, digital identities is a crucial step in making our digital lives more secure.”

Today, with more activities online, we still rely on the collection of that real world data - but it is not always securely stored. And that data, if stolen, can be used to establish fake identities, undertake illicit transactions, steal our money or coerce us.

That’s why creating secure, digital identities is a crucial step in making our digital lives more secure. Rather than providing that specific data, such as passports, driver’s licences or other critical information, we could provide the secure, digital identity to real estate agents or car rental firms or hotels or providers of other services.

The actual data would not be shared but held by a trusted, secure provider of the digital ID.

Around the world, many government and private sector operators are working towards schemes which satisfy this need. The ideas are frequently excellent although real world implementation is still likely to take some time.

My view is a more secure digital ID should be a priority element of Australia’s next National Cyber Security Strategy - but we also need better ways to ensure security in transactions or data sharing across organisations.

In a very inter-connected world, we need to assume major security incidents will happen and practice how we respond together to protect those who might be impacted. 

My priorities for the next national cyber security strategy would be:

  1. A better system for secure identification of people - with the government to lead on a national digital identity capability. This more secure digital ID would complement a clearer understanding and tighter regulation of what data is required and how it is stored.
  2. A better way to help assure the security of the third parties with which we all work – often the challenge is in chains of information exchange so we must ensure the security and rigour in what is shared.
  3. Better exercising of our response to major security incidents across private and public sectors.

I know, historically, we have seen reluctance when people feel forced by government to comply with identity or security measures or when they think privacy is at stake, such as with proposals like a national identity card. At the extreme, we saw such concerns about mandated vaccinations despite the clear benefits for individuals and society.

It may be that, at least initially, an opt-in identity scheme might be an option. This would at least enable better identity protection for those who want it.

However, we do need to recognise the amount of personal data large companies are required to collect poses serious dangers to Australia’s overall cybersecurity. And currently there are huge vulnerabilities in our national identity capability.

I do believe government needs to play a leadership role, whether that’s in a centralised identity plan or a centralised way of checking whether third parties are secure.

A further complication at the moment is the lack of clarity around who has responsibility for what, inside and outside government, and this creates a roadblock to effective cybersecurity management.

The private sector and government do need to work well together – and there are models where this does happen in Australia, notably Austrac – and share information in a timely and effective way. Such collaboration is growing with other government organisations but there is more to do.

What is clear is we have reached a point where we know the ways we identify people, using a lot of the documents that have been exposed in data breaches, is no longer providing what we need. There must be a better way.

It is complex and obviously it needs to be done well. Of course, data needs to be well protected.

However, that’s not that different to a lot of other areas where we need to centralise data, whether it's medical information or other things, where people justifiably have concerns about privacy and how well that's managed.

A secure and efficient system will take time to set up which is one reason why we should be having a serious discussion about it today. It will be about balancing the need for the data with privacy and security.

And it is about better and clearer guidelines and regulation around what data really needs to be collected for a product or service – as opposed to what might be useful for marketing – and how and how long that data is stored.

It is the nature of data storage that the very place where large amounts of personal data are aggregated is exactly where criminals will focus their efforts.

We need the right balance between what do you centralise and the risk of creating a giant target.

Banks do have a long history of protecting valuable material, whether that is financial assets or the personal data associated with those assets. We can play a valuable role in this vital conversation.

Cyber security today

Secure, digital identities may be some time away but we can take immediate steps to help our cyber security.

Good security in large and complex organisations requires a range of capabilities that all work together to keep us all safe.

Unfortunately, there is no single silver bullet or capability that alone keeps us secure. But there are simple steps we can all take to improve our personal cyber security and these are also a factor in corporations' security capabilities.

ANZ’s Protect Your Virtual Valuables concept encourages people to protect their virtual valuables in the same way they do physical valuables by making a “PACT” - four simple steps towards better cyber security.

  • Pause before sharing sensitive information, including in online profiles. Consider what can put you in danger or impact your reputation and don’t forget to turn on privacy settings on devices, apps and social accounts.
  • Activate two layers of authentication and use different passwords for each account.
  • Call out suspicious messages, don’t click links, give out personal information or send money in response to an unexpected request.  And be an upstander - if you see abuse online, report it.
  • Turn on automatic updates and tame the tech by exploring how to set access and parental controls on home wifi networks, gaming consoles, mobile devices and smart TVs.

And always be vigilant about anything suspicious or unexpected online particularly urgent requests for you to act and provide personal information or click on links.

Lynwen Connick is Chief Information Security Officer Group Technology at ANZ

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

27 Sep 2022

A digital alternative to online identity theft risk

Andrew Cornell | Past Managing Editor, bluenotes

Identity theft is a global online scourge but one of the most promising fields of digital innovation is digital, secure IDs.

11 Nov 2022

Cyber security is everyone's business

Isaac Rankin | Managing Director Commercial and Private Banking, ANZ

As cyber threats against businesses become more prominent and sophisticated, all companies need to rethink how they protect themselves.