The announcement that Australia could be the first country to trial virtual passports was made by Foreign Minister Julie Bishop at the end of October. The idea was born from a DFAT challenge called InnovationXchange, brainchild of the Foreign Minister herself. Of 392 idea pitches, that of virtual passports was a clear winner and the Australian government are now discussing a possible trial But is it as forward thinking as it sounds?
Cloud based passports were pitched as an alternative to paper passports, and a solution to the 38,718 passports that were registered as stolen in 2014-15. But it doesn’t solve half as many security issues as it poses.
Introducing cloud based passports would seem sensible if implemented in the right manner, which is really the crux of the matter here. Stolen and lost passports can be real headaches for individual citizens and involve a lot of lost time (and money). But the risk of a stolen identity, that’s a much larger problem. People who have their identities stolen can end up with bad credit ratings that are difficult to expunge and can in extreme circumstances be charged and convicted of crimes they did not commit.
There are few more valuable resources for an identity theft than a passport. Remember back in 2010, when Israeli spy agency Mossad was found to have been using fake Australian passports for its operations? Or when the ABC’s Catalyst reported earlier this year that recognising false identity is harder than it looks; even passport officials get one in seven faces wrong. Presumably these are the kinds of fraud virtual passports are expected to prevent.
This then raises the question of how exactly virtual passports will work. If they include more biometric testing, or fingerprinting for example, this would seem sensible from a risk management perspective. But then there are the privacy implications to consider.
If you have your own passport, you can realistically limit the risk of theft. If your details are available on the cloud, then that control is out of your hands. In 2013, blueprints of the then-under-construction ASIO headquarters in Canberra were stolen in a cyber attack. In August this year, Islamic State hacked personal information of Australian Defence Force employees and published it, urging home-grown terrorists to carry out attacks. If the Australian Government cannot guarantee the security of its own documents, how can it guarantee the security of your passport information?
Not to be confused with a question of government control, this is a question of how secure our government data systems really are. We don’t know what information governments have, how they control it, how they use it and what breaches have taken place. In March 2015, the Australian Senate passed a controversial law under which phone and internet providers are obliged to store two years worth of metadata from devices, which is then accessible to 85 security and policing agencies.
The concept of storing data in essence is a very sensible one, however the lack of transparency around how it works isn’t exactly consistent with Australia’s concept of democracy and the ministerial accountability that exists in our system of government. How can a government be held accountable if the public know little or nothing about the issue?
The execution of most governmental data storage programs, just like anything new, will no doubt contain some flaws that will eventually be taken advantage of. In the case of a leak of passport data, the possibility of personal identity theft and compromised security on both a personal and national level is significantly greater than that currently experienced.
So, if Julie Bishop is serious about heading down the road to cloud based passports, we need a clear plan from the government about the proposal before it’s implemented. Though if the metadata shamble is anything to go by, we’re probably not going to get that.