The Australian Taxation Office is shopping around for tech companies to build a new online facial recognition tool that will help detect a person's identity by matching their live selfie to a database of passports and drivers licences.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
The ATO released a new tender, which closed on October 20, seeking to engage a company to help provide the agency with a "liveness" solution, which would detect whether a person was real and not an image.
The feature, once developed, will be used in conjunction with the government's identification service, myGovID, in order to login to a number of services with federal departments and agencies.
It comes as Government Services Minister Stuart Robert has outlined the government's move to implement a new digital identity system in 2021.
The new system, a one-stop shop for identity checking, will include document and facial verification services and is spearheaded by the Digital Transformation Agency in partnership with the ATO, Services Australia, the Department of Home Affairs and the Department of Foreign Affairs and Trade.
In a keynote address at the Digital Summit earlier this week, Mr Robert said the whole-of-government approach to digital identity, including the selfie verification feature, would help transform how people accessed services online and would keep data safe and secure.
"The government's investment will allow more people to connect to more services using Digital Identity over the coming years," Mr Robert said in his speech on Tuesday.
"With the passing of legislation governing private sector participation in the Digital Identity system, we will also be able to make digital identity a truly whole of economy solution.
"The legislation will include additional safeguards and oversight to ensure all Australians will have trust and confidence in the Digital Identity system as it is expanded to include state, territory and private sector services."
But tech experts aren't convinced this solution will be any more secure, suggesting it might even make identity fraud easier.
READ MORE:
Cybersecurity expert Dr Vanessa Teague says that as technology improves, so does the chance it can be exploited by attackers.
"The concern would be that, for many many people, there are lots of online sources of good-quality photos, videos and voice recordings that an attacker could use to try to deceive the Digital ID system," Dr Teague said.
"[The government doesn't] understand that the systems they are building could actually make identity fraud much easier."
Dr Teague has already found issues with the ATO's existing digital identity system in regards to the four-digit code users receive when attempting to login. The ATO was informed about the vulnerability but told Dr Teague it had no intention of fixing it.
The problem isn't the facial verification itself - it lies in the potential issues that arise when you defer that task to technology that's still developing.
"There's nothing wrong with facial verification in person - for example, at immigration where you front up in person and they compare your photo with the photo in your passport," Dr Teague said.
"The concern with online digital ID is that even a very normal imperfection in privacy - for example, putting some photos online - could undermine the security of a person's account unless the system is securely designed to detect and defeat reuse of those images."
Countries in Europe, such as Belgium and Estonia, have a system Dr Teague said worked far better. Instead users have an identity card that can hold their biometric and other personal data, which is secured with cryptography - the same concept used to encrypt messages.
If designed properly, Dr Teague said this type of system protected sensitive information from being exposed in cyber attacks.
"I don't understand why we're building a system that will invade privacy and probably weaken login security, when we could copy a much more private and secure system from a country that has been using it for a long time," Dr Teague said.
"I suspect it's simply that there isn't sufficient understanding of the technology within government to make good decisions in this space.
"I wish they would ask the tech community what is feasible and what might be secure, before they make promises based on a tender they've put out for a system that may never be securely realised."