How to Create an Infostructure to Protect Data as a Utility
Citizens need good data nearly as much as they need clean drinking water and stable electricity. In order to secure this right for its citizens, governments need to lead the way in the organised, whole-of-society treatment of data as a utility.
The dark side of data is obvious. Fraud, counterfeiting, fake news, misinformation and impersonation are all booming in the digital sphere. Digital now dominates how we interact with the world. But people are left increasingly vulnerable, lacking the customary cues they previously used to establish trust. All they have to go on is data.
Bad data is at the heart of all fraud. ‘Card-Not-Present’ payments fraud, for example, uses stolen credit card numbers which are replayed against unwitting merchants. More elaborate impersonations use rich personal data, often harvested from social media profiles, to fool Knowledge-Based Authentication and account-opening processes. Multi-million dollar mortgage frauds are also perpetrated this way.
Entirely synthetic identities can be created by skilful criminals who know the blind spots of financial security systems.
The emergence of deep fakes — high fidelity computer-generated animations that duplicate real persons — has kicked off another security arms race. In 2019, fraudsters even used a synthetic voice generator to imitate an energy company’s executive, and called a finance officer at the company to request a €220,000 cash transfer to the fraudster’s account.
The public and lawmakers alike have faith in an imagined sci-fi precision of biometric security, but these systems are becoming increasingly fragile in the face of deep fake-based ‘presentation attacks’.
All these frauds take advantage of our difficulty detecting digital lies. Citizens, businesses and governments too all urgently require assurance of the accuracy of all data, from credit card numbers and correspondence from the bank, to news reports and videos of celebrities.
Unsurprisingly, the criticality of data as a public utility is high on policy agendas worldwide. The World Bank, for example, in its World Development Report 2021: Data for Better Lives, highlighted the tensions between value realisation from data on the one hand, and political and economic imbalance on the other. This imbalance is exacerbated by asymmetries in data processing capabilities.
The bank calls for “a new social contract for data” that, among other things “fosters citizens’ trust that they will not be harmed by misuse of the data they provide”.
The importance of data is slowly dawning on Australian legislators. After all, its value has created some of the richest, most powerful corporations in history.
However, the framing of data infrastructure remains shallow. It misses the opportunity to treat data itself as a modern societal resource.
Data protection is more than orthodox cybersecurity. It goes beyond the classic ‘C.I.A.’ triad of confidentiality, integrity and availability.
If data is a resource as important as water, power, transportation and communications, then we must attend to all the properties that make it valuable. For instance, provenance has become a key concern for ensuring digital trust.
How can we verify the source of truth for the data we depend on? How can we tell where a piece of data originated and what it is intended to be used for? And when data has been derived from other sources through big data and artificial intelligence algorithms, what do we know about those algorithms and the raw data which fed them?
Australia’s recent digital infrastructure moves
The Australian Productivity Commission’s 2017 Data Availability and Use report recognised data as an asset, and noted that there’s plenty of datasets which, if degraded of rendered unavailable, “would significantly impact the social or economic wellbeing” of Australia.
In the same year, public consultation on the Security of Critical Infrastructure Bill considered whether data centre assets should be included in critical infrastructure, but the government decided not to.
Shortly after, Anne Lyons, a visiting fellow at the Australian Strategic Policy Institute (ASPI), released Identity of a Nation, a lucid exploration of the strategic importance of national identity assets: such as public records and registries, citizenship records, land titles, the census, law court and parliamentary proceedings, and cultural collections.
Lyons set out Australia’s vulnerability to attacks on, or accidental loss of, these identity assets. She issued an appeal for data itself to be treated as part of the nation’s critical infrastructure, over and above the physical data centres and telecommunications systems through which it flows.
In 2018 the Department of Home Affairs launched a comprehensive inquiry into the security and management of ‘identity information’. The report was delivered to the Minister in 2019 but was never released. Only recently has the report surfaced under freedom of information.
A key recommendation was that “All Australian citizens and residents should have a ‘core credential’ that is biometrically based which they can use to prove their ‘identity’”.
The shudder quotes are typical of a report, which seems to me unsure of its subject matter and yet quite clear in its drive towards a single national biometric credential.
It is not known if or why the government restricted publication. In my view, the authors’ enthusiasm for a national identification regime could have been awkward when such a proposal remains taboo — as I’ll explain shortly.
The Consumer Data Right (CDR), legislated in 2020, creates a regime in which businesses that hold data about individuals can be directed by those individuals to share the data with other nominated businesses.
The aim is getting better deals for utilities and financial services or, in future, obtaining new services directly based on analysing that data.
The CDR is Australia’s first concerted effort to build general-purpose data-sharing infrastructure, and to re-balance the rights to use and profit from data. It’s a strikingly comprehensive intervention, setting enforceable cybersecurity standards in a way that our governments have long been reluctant to set.
Which brings us to the present day and the current program of data policy work within the Department of Prime Minister and Cabinet.
This includes a data strategy, a data strategy action plan and a data security review built around the realisation that “data is an important national asset that drives innovation and transforms the world we live in”.
Dozens of decent case studies demonstrate the importance of data, yet there is still no decomposition of what exactly makes data valuable and worthy of protection. And while the CDR regime has admirably set enforceable standards for data security, the data strategy action plan is all light-touch awareness and policy measures.
Our legislative culture aims to be technologically neutral. Australian governments therefore tend to foster joint development with industry of best practices and (eventually) standards, and to seek to procure reasonable-solution systems. These solutions are not necessarily state of the art, but are responsible, cost-effective and, above all, mature enough to pose few risks for citizens.
The recent critical infrastructure protection legislation typifies the Australian way.
The major onus is on industry reporting and information sharing, but no technical standards have been mandated. Moreover, the government has continued to exclude data-as-an-asset from infrastructure deliberations, and has therefore yet to contemplate how to systematically safeguard the distribution of this critical resource.
There is a newly-minted term for the systematic approach to data safety: infostructure.
The Oxford English Dictionary calls it “an organisational structure used for the collection and distribution of information … comprised of hardware, networks, applications, etc., used by a society, business, or other group; also as a mass noun.”
I would go a little broader and explicitly include soft technologies, including all-important digital literacy.
We can regard infostructure as the blend of rules, social norms, technologies, networks, quality processes, and public and private services that will deliver safe dependable data as a utility.
Move on from the ancient bogeymen, Australia
It continues to be inordinately difficult in this country to discuss digital identity without invoking — accidentally or otherwise — the spectre of the ill-fated Australia Card.
Announced by the Howard government in 2006 and known officially as the Human Services Access Card, or just the Access Card, this was an overblown effort to ostensibly digitise all social security cards into one new entitlement mechanism.
However, the need was not compelling. Sure, there are more than a dozen social security cards at federal and state levels, but how many Australians really carry more than three or four? There was no clear or believable design to prevent the government linking up every transaction behind our backs. It therefore seemed plausible that this was the covert point of the exercise.
With public anxiety rising and the forecasted costs growing to more than a billion dollars, in 2007 the incoming Labor government cancelled the project.
In the wake of this badly mishandled identification project, even modest proposals to selectively digitise the way we exercise government accounts have struggled for credibility.
In 2010, for example, Labor’s Health Minister Nicola Roxon proposed that the Medicare card be chipped and carry the new Individual Health Identifier. This would have helped prevent imposters using the card, just as chip-and-PIN protects modern credit cards, without otherwise changing how government services operated.
But this project was also abandoned after inevitable comparisons were made with the Australia Card, and even political pushback came from state governments.
At this point, can we ask a favour? It's not easy being a small, independent publisher in Australia - but by subscribing to AQ for only $28 a year, you can support evidence-driven, informed debate and help keep one of Australia's oldest publications in print for another 90 years! Thanks, and we hope you're enjoying this free Special Edition
Since then, governments from both major parties have mishandled IT projects and privacy to such an extent that too many citizens will automatically view any improved handling of digital information as another newfangled invasion of privacy.
Just think of the problematic digital failures of the 2016 Census, My Health Record, and the so-called Robodebt scandal.
Clearly the government needs more than just jolly hand-wave marketing of the benefits of digitisation. The projects themselves must be better conceived so they’re less disruptive to existing trusted processes, less risky to privacy, and consequentially easier to explain.
Creating a better concept of data safety
Government projects must attend to the whole range of properties of data that make it valuable and make it safe to use. Making their thinking transparent will lead to more trusted and perhaps more manageable projects.
It’s time to abandon the metaphor of ‘digital identity’. In most cases we don’t need to know who someone is. We simply need to know whether they’re eligible for a particular government service, or more generally whether some given fact about them is true.
The classic example is proving you’re 18 years or older before buying alcohol. The bar staff don’t need to know your name, address, and date of birth from a driver licence. They simply need a trustworthy yes or no answer.
The trouble with digital identity is that computerisation invariably mixes and joins up all the nuanced facets of analogue identity that in the physical world we instinctively keep separate. We should keep identity analogue, and carefully digitise all our various personal credentials.
Each digital credential should mean nothing more and nothing less than the fact that the holder has that credential. There should be no extraneous disclosures when a credential is presented, and no digital breadcrumbs.
New South Wales has started along this path with the Service NSW app, which now presents a carousel of digitised credentials. These already include driver and boating licenses and photo ID cards, Seniors Card and trade certificates, and is being extended to working with children checks, birth certificates and more.
The trust mechanisms include the user having to log into the app with a PIN, something only they know, and the other party being able to use the app on their phone to confirm the credential’s validity in real time through an ever-changing QR code.
Of particular note is the display of COVID-19 vaccination status: a simple green tick to show to those who need to ask.
The best-known such “data wallet” is the Apple Wallet. It’s distinctly easy to use, but it is not the only game in town.
Waving a phone is fast becoming a uniform user experience, as familiar as inserting a plastic card into an ATM or an airline check-in kiosk. Moreover, behind the scenes there are rigorous business processes, checks and balances whereby credential issuers are given trusted access to the wallet hardware and operating systems.
It is difficult for banks and healthcare authorities to have their credentials approved by Apple, and so it should be.
The risk of monopoly is ever present, but governance does need to be strict. If the administration of digital credential wallets could evolve into public-private partnerships, then the risks of vendor lock-in would be manageable, with governments and product companies such as Apple keeping each other honest.
Any government data wallet infostructure should therefore be open to other qualified private sector vendors and credential providers who would participate subject to new governance processes.
While governments seek technology neutrality, they should acknowledge that some technologies are better than others. They should adopt a modern technology family, just as they select tamper-resistant driver license technology and cryptography from endorsed supplier lists.
Specifically, governments should pivot as quickly as possible from QR codes, which are vulnerable to cut-and-paste attacks, to secure radio frequency methods, particularly NFC (Near Field Communication). This is the same technology used in payWave and e-passports, and now standardised internationally for mobile licenses and smart phone wallets.
To govern a private-public infostructure, government needs a metadata dictionary of definitive authoritative sources. Administration of the dictionary would be delegated to the many established trusted authorities in the professions, healthcare, state registries, education and business.
Government can foster (through procurement and standardisation) a commercial business model of digitisation-as-a-service, mirroring exactly the way in which commercial bureaus today manufacture trusted plastic cards for Medicare, transport operators, universities, employers and sports clubs.
Take the lead on comprehensive data safety
Government is the foundation for most of the atomic truths we all depend on day-to-day. While governments have struggled to find their way with digital identity, the best thing they can do now is refocus on the concrete and make all the facts and figures for which they are authoritative, available to citizens in verifiable digital form.
Only then will true digital citizenship will follow, when we can move verifiably true copies of important data around as simply and safely as we move our digital money.
♦ Dispel the bogeyman of the Australia Card once and for all, reframe the digital citizen experience around whatrather than who. Instead of abstract open-ended "identity", concentrate on concrete objective credentials, and the public-private infostructure that will enable citizens to prove specific facts and figures about themselves.
♦ Enable citizens to prove their bona fides digitally, upgrade from plastic cards to electronic verifiable credentials. The technology exists today for government-issued certificates to be issued in digital form, and loaded to smart phone wallets. Provide citizens the option of having digital versions of their standard Medicare card, driver licence, health identifiers and birth certificates, without any change to these credentials' meaning or rules.
♦ Upgrade from QR codes to modern radio frequency "tap and prove" methods. Most government mobile credentials today use QR codes as the presentation mode, but this technology is vulnerable to illicit copying and counterfeiting. Radio frequency technology, as used in payWave, is faster, far more secure, and increasingly available in mobile phones for non-payments applications. U.S. and European governments are working with mobile phone companies and telcos to make licences and COVID vaccination certificates available to mobile data wallets. Australia should join this movement, leveraging the new mobile driver licence standard ISO 18013-5.
Stephen Wilson is Managing Director of Lockstep Consulting (https://lockstep.com.au/) and an independent researcher and analyst with over 27 years’ experience in digital identity and data protection. He has been an adviser to Service NSW on COVID Safe privacy and digital driver licensing. He is currently a member of the NSW Digital Identity Ministerial Advisory Council. Follow him on Twitter at: @Steve_Lockstep