Home Affairs Department bureaucrats, repeatedly thwarted in recent years in attempts to sneak through a radical expansion of government collection and use of biometric data, are using recent major hacking of big corporations to again push an agenda which would see the department become a national repository for all Australians’ biometric data.
Justin Hendry at Innovation Australia reported yesterday that a department official, Gudiya Riddell, said last week that corporations shouldn’t be holding identity verification documents because “biometrically [anchored] digital identities and digital credentials can help to limit the amount of personal information that an organisation collects by enabling an individual to share only the minimum amount of information needed for a transaction”.
Instead, home affairs could operate or nationally coordinate a biometric data repository that corporations would instead use to verify identity.
That is exactly the idea put forward by Peter Dutton and home affairs secretary Mike Pezzullo in 2019 — which was savaged by the Andrew Hastie-chaired parliamentary committee on intelligence and security. That would have created a biometric data hub run by Home Affairs in coordination with state governments, which corporations could have accessed for identity verification (with users’ permission).
The committee ripped the idea apart when home affairs drafted the proposal so widely as to allow myriad other uses for the biometric data, with no privacy safeguards or accountability requirements, no independent oversight, and plenty of room for endless expansion of what data was included and the purposes for which it would be accessed.
That reflected a longer-term ambition on the part of home affairs and its predecessor department, immigration. In 2014, immigration tried a similar trick as in 2019 — using legislation to sneak through a massive expansion of its powers. It proposed an unlimited power to keep biometric data on everyone entering and leaving Australia. Again, the intelligence and security committee stopped it, with Labor MP Anthony Byrne leading the charge against immigration bureaucrats.
Dutton then proposed a more voluntary border biometric data collection system in 2017, claiming it would enable much faster arrivals at Australian airports.
Now the hacks of Optus and Medibank Private are being used to justify another push for home affairs to become the one-stop shop for all your biometric data needs.
The risks of such a treasure trove of data are the same as they were nearly 10 years ago: home affairs has a woeful record on data security, a rotten record on procurement matters, and it failed to implement the government’s own basic cybersecurity standards for many years (along with most other departments).
And once biometric data is stolen from home affairs or some third-party IT vendor obtained through one of that department’s many bungled procurement processes, the damage is permanent. You can get a new driver’s licence or passport; you can’t get a new fingerprint or iris.
The “key learning” from the Optus/Medibank/whoever’s-next hacks are that the only genuinely reliable way to protect personal data, biometric or otherwise, is not to have it in the first place. Anything else is a second-best solution and, judging by the quality of IT security at many Australian corporations, more likely fourth- or fifth-best.
But the truth that the best way to protect data is not collect it runs contrary to the prime directive of governments and corporations, that it’s always better to collect more data — to sell to third parties, to analyse for selling and advertising opportunities, to devise “better” policy, to address threats. In that environment, our personal data will never be safe — not while corporations and governments believe they can benefit from it.
An ethos that data shouldn’t be collected unless it’s needed and not retained unless absolutely essential is one that is totally foreign to the “collect-it-all” mentality of bureaucracies (whether in the security and intelligence establishment or not) and corporations. But until it’s embraced, cybersecurity is a utopian fantasy.
Would you trust home affairs — or any department — with any of your data? Let us know your thoughts by writing to letters@crikey.com.au. Please include your full name to be considered for publication. We reserve the right to edit for length and clarity.
