Transcript of Question & Answer Session Panel participation at the 13th Annual Tech in Gov conference

Thank you, Katrina and good morning, everyone. Good morning, Lindsay.

Good morning, Victoria.

As a lead in to this morning, I thought it might be helpful to reflect on some of what we heard yesterday, and in my mind, that fits into two categories really. There was a lot of talk about data and organisations becoming data driven, and the inherent challenges in realising the opportunities. I think it was a gentleman from ANZ that said that we need to move from this unpermissioned surveillance to trusted intelligence. I think that's a really helpful framing for that we have to change the data dialogue at the moment. And I was also quite impressed at the gentleman who's ex-Facebook. He listed the number of pivots that Facebook had been through, and it looks like the last pivot is privacy. It was the one on the bottom of his list, so there's hope, right?

And then so as well as hearing about data, we also heard about some gloom and doom, I think. You know, the statement, ‘we're already at war’, and while that's a bit disheartening, I think it's disheartening because it's been going on for too long. So, one of the things I wanted to start with as a backdrop to this discussion was some reflections from Kim Cameron, who's my identity hero. He's the godfather of identity for many people and as far back as 2005, he said very eloquently, "It's all a mess." As well as highlighting that the fact that we've trained people to accept this mess, he spoke about this patchwork of identity one-offs. What do you think? Was Kim right? What's the problem with digital identity?

Thank you, Victoria, and good morning. It's rather interesting that we've described it as a patchwork, and I think David Birch in a session yesterday described it as ‘being all broken’. I think to call it a patchwork might be giving it more credit than what it actually deserves. I'd prefer to describe it as a hotchpotch, a current approach to digital identity …

Because there's some order in patchwork, right?

That's right. There's order in patchwork. My grandmother was a quilter and some of her patchwork looked pretty damn good, actually. It was all connected, so even though there were different pieces, they came together in a quilt perfectly. I don't think we have that in digital identity at the moment. What we have is a hotchpotch and it's not appropriate for the kinds of problems that we need to solve. The way in which technology is evolving here in the digital world is that it's becoming much more integrated, much more interdependent.

We're relying more and more on networks. We can sit at home now and order things from one side of the world to the other. We just have to be in front of a screen. We don't have to be physically present in a shop or at a counter to do a transaction. In fact, as technology evolves, we probably won't need to sit in front of a screen. We'll just have to vocalise it from within our homes and workplaces to get things done.

So, the systems and the services that we're using to do transactions are networked, and becoming interdependent. But, that's not the way in which the digital identity solutions in Australia are currently set up. They're very much a hotchpotch, as I suggested. Organisation that rely on identities being authenticated seem to be doing their own thing without any cohesion amongst them.

It doesn't seem sensible to try to solve a network problem using non-networked solutions. We really need to move our digital identity solutions to reflect the problems that are being thrown up by the networked architecture of the systems that we're using for our transactions.

I think that's a really good point, and I've just changed the backdrop to the conversation to pull out a statement from The Murray Report, which came out of the Financial Systems Inquiry, and part of me wants to groan and say, "This was done in 2014 and now we're five years ahead" and although there are some nascent signs of hope which we'll come on and talk about, the fragmentation and the vulnerabilities that the fragmentation create really are there.

Given that there's an economic need and also a customer need to do something, Katrina very rightly pointed out that possibly the most important stakeholders in this whole conversation are not actually in the room. They're the people that rely on online services. Why is it a problem that the Australian Payments Council has chosen to look at?

It's an interesting question. Some organisation, some representative group, needed to take the lead in order to get the digital identity from the hotchpotch arrangement that we currently have to the networked solution that will be appropriate to deal with the needs of networked transaction services. Who is best to do it? It almost goes without saying that, in a world where many transactions are digitally-based, there is a growing need for people to authenticate their identity online for all kinds of transactions - applications and renewals of driver's licences, health insurance claims, grocery shopping, all those sorts of things.

The one thing that we do almost every day, and which underpins many activities, is make payments. It would be a rare day that I don't make an electronic payment of some kind, even if it's just buying lunch. Also, to reap the benefits of the innovations and changes taking place in the payments industry, such as open banking, it is important to have in place a solid, networked arrangement in which individuals can authenticate their identity when making a payment.

It seems reasonable, therefore, that the organisation or the grouping taking a leadership role in trying to pull the hotchpotch of digital identity solutions together in a networked solution is one that has some role in payments. The Australian Payments Council fits that bill. The Council was set up with support of the Reserve Bank of Australia to provide strategic direction for the payments industry. Networking digital identity is a strategic issue.

Importantly, a number of different industries are represented on the Australian Payments Council reflecting the fact that payments underlie many of our daily activities. The representation includes retailers, telcos, as well as the major banks and other financial institutions. A technology industry representative has also just been added to the Council's number. This broad representation, which brings different industries together, is very helpful in achieving a networked solution to payments issues, including digital identity. The Payments Council has that representation

I think I remember when the Payments Council agreed to take on the project as well. There was some recognition of the fact that those organisations are at the frontline of the pain caused because we don't have strong authentication mechanisms online. We look at card not present fraud, it was mentioned yesterday, the latest figures came out today actually, and it's grown. And identity theft as well, lots of identity theft is built on the fact that someone's found your credit card or your driver's licence that you've scanned up for a service that you want to subscribe to.

I think the other interesting thing about the Payments Council was the authority which enabled it to build partnerships with organisations outside. I see Jonathan in front of me, we partnered with the DTA on the creation of the Trust ID framework, and that was really important. I think around the Council table for a while, and because of what Murray said, there was this sense of, "Well, do we do something with the private sector? Do we work with public sector?" I think we've landed on a very pragmatic starting point of the private sector has some very specific needs and there's some momentum in the market, and we'll create a framework that works for our needs. It's a meta framework we've created, so I just wanted to highlight that a little bit to bring some clarity around what we mean about a framework.

It's not a solution, it's not a scheme, and here we've got our made up Gov ID, but the intention is absolutely that a service provider who's providing service into the government is able to provide services into the private sector. This is an interoperability domain with some provisions around communication protocols, attributes, and the intention is to create competition. Again, yesterday, there was this discussion about digital identity as a platform for innovation, and that's absolutely the intention with leading freedom of choice to different solution providers, to create services that work for their customers.

I think the Payments Council and the support of the RBA has been really important in bringing a wide set of participants together for that.

The Payments Council has been very clear on its intention. It didn't want to build the solution itself. It felt as though the private sector, that private service providers were better placed to provide a solution, but what was lacking was the interoperability between those solutions, between those services. The intention of the Council was to create a framework that promotes competition and innovation but, at the same time, allows interoperability between the different digital identity services, to get away from that hotchpotch, to make sure that we had a networked solution to address a network issue.

We've got the start of what feels like a really strong way forward now. We've got a really strong starting point. Any organisation that offers their services within that framework brings the promise of interoperability. It solves that chicken and egg problem. If we cast our mind forward a little bit, I mean, what benefits do you think there will be? How will businesses and consumers and government benefit from these ID services? As a backdrop, I've got a recent stat from Sweden, and everyone loves to talk about the Nordics. I love to talk about the Nordics, because they're a success, but there are a number of things that we can't replicate in this country.

Digital identity is culturally specific, it depends on the regulations, it depends on the appetite of the different service providers to work together. We can't just wholesale lift what they've done and do that here, and actually I'm not sure that even just lifting what they've done in the Nordics would make sense, because we want to create more competition, we want different solutions, we want to compete on innovation. But they've been pretty successful. There's a tipping point there, where the whole reach of the economy has meant that people are using these services. I know some people use them 10-11 times a day, so how will we reach this point in Australia? Do you think we'll accrue all these benefits in this market?

We certainly hope we'll reach that point in Australia. The framework has been set up in such a way that will help promote, that will allow us to get that point. But the Council was also, in setting up the framework, very keen to make sure that this wasn't a finance-only, or a banking industry-only solution.

Even though the payments industry has taken the lead through the Australian Payments Council, it is important that the framework allows other industries to use it.

I think you see that here in this graph in the case of Sweden. Initially the Swedish solution was bank driven, but eventually, around 2013, other industries started to piggyback on that solution. When those other industries started to come on-board the use of the solution became more widespread. People started to realise the convenience of having a networked solution for digital identity and the benefits that flowed from that convenience.

It's when you start to get everybody working together within the framework that you see the growth and use and the benefits start to flow through the community more generally. Banking and the payments industry have a vested interest in making this work. But they also have an interest in making sure that it's available to a broader range of industries.

There is also a structure to the delivery of technology services. Typically, there are two parts to the structure: there is a competitive component, and there is the utility or networked component. Often the networked component needs to be provided through collaboration of industries and companies providing the services, much like a utility. But the competitive component is provided by individual players and service providers who compete with each other to provide the services to customers.

To drive momentum and …

To drive momentum, to keep prices down, and to ensure innovation. We want companies to compete like crazy at that competitive level, but we want them to collaborate like crazy to provide the networked component of the services. If the distinction between those two things isn't necessarily well drawn, then the competitive layer may creep into the utility layer. You'll get service providers saying, "Well, we're not going to collaborate to deliver the utility services because our competitors are using it as well."

At that point, there needs to be a very clear distinction between the competitive layer and the utility layer and often that comes about either through regulation, either self-regulation, or official regulation. Or it could be there through legislation, but something has to make sure that that networked layer is provided and that it is done in a collaborative way in order for the competitive layer of services to work well.

It's when you get that distinction happening and becoming very clear that you then get a significant increase in the way in which a service that relies on a network being used.

Many of the discussions, as you know, in terms of building this framework were about where's that line between compete and collaborate? Through working groups of focusing on technical questions, business questions, governance questions, we worked out where that line is. I think it's really important you need enough to collaborate on to stimulate the market, but you need enough as a prize in it to compete, to keep it going. Hopefully we've found the right balancing. I'm sure the framework …

I think we haven't had that right balance up until fairly recently, and hopefully with the Trust ID framework set out by the Australian Payments Council, we've now got that point or at least created the preconditions for it to be well defined.

Thank you. I think we can have some questions now. I don't think there are microphones, but it's a small room and everyone's got loud voices. Yes?

Yesterday there was quite a lot of talk about this networking problem. I don't understand what networking problem means. I was wondering if you could deep dive, that's a bit jargony.

So why do we say identity is a networked business?

Yeah. [unclear 00:19:26].

Sure. It's a two-sided market thing. If you think the easiest analogy is a card, so you don't care who's given you your bank card. You know that you can walk into a shop and pay, and there are technical specifications that make that possible. And there's a governance layer, so that if something goes wrong, the right people get paid. A two-sided market requires people on both sides of the markets to do similar things technically, and you need a governance layer for it.

A retailer wouldn't accept a payment card if no one had that card, and no one would want a card if they couldn't use it anywhere. One of the challenges in this market with digital identity, I think Australia Post has done an incredible job of championing the topic and they've put a lot of money investing in services, it was very hard for them to convince anyone to accept their identity, because they haven't enrolled enough people, and they couldn't enrol people because there was nowhere to use it. That's that two-sided market network problem.

In terms of the Payments Council, if you are talking about that you need critical mass to actually get onboarded, get people to take up the service. What are you guys doing in that space to draw people in to that [unclear 00:20:53]?

The framework specifies in interoperability domain.

What framework are you talking about?

The Trust ID framework. The Payments Council has just created a Trust ID framework.

It's basically a set of rules. You want to think of it as a set of rules by which a digital identity service provider operates. They are being asked to sign up to those rules. One of those rules is that you make your system interoperable with another service providers system.

What does interoperable mean?

You agree to accept everyone's identity. You agree to process transactions from all service providers who meet the requirements of the framework.

Will there be some standards developed somewhere to talk about what those things are?

Sorry, didn't hear that last?

Where are the standards to describe what those things are?

In the framework documentation. There's a 200-page document that describes the framework, and as you would expect, we haven't invented some weird Australian standard for identity. It's all based on quite a lot borrows from CDR, Consumer Data Right, lots of what Data61 has done is on GitHub, so it uses OpenID and all the standard protocols. It draws on TDIF, and on NIST, as well.

The best way to think of this is that when you go to make a payment using a card, whether it's a credit card or a debit card, and you go to the retailer, you don't see a number of different terminals. You don't see one for Mastercard, you don't see one for Visa, one for Amex, one for UnionPay or whatever. You only see one terminal and that's because they've made those … That particular network has become interoperable. You only need to tap on one terminal, depending on who your service provider is. The payment will go through.

Similarly, for digital identity, you don't want to go over there and lodge your digital identity to one type of transaction, go over there and lodge your digital identity for another and so on. You only need to do it once, but the network, if you need to provide your digital identity to a company that uses a different service provider, will allow you to access, with your permission, information from your digital identity service provider.

Yesterday, this came up as well. The concept of a payment card. That would be a [unclear 00:23:15] could just pick up anybody's payment card and I can swipe 100 bucks anywhere. Digital identity surely has to be more rigorous to what it's …

The analogy only extends so far. That analogy is to describe the network effect. It's not used to describe the authentication around the use cases. It doesn't …

Have you got some stuff to talk about how you're going to build that rigour? So that we can get away from anybody can pick up an identity card and just start flashing it around the place?

Perhaps in some contexts is an unhelpful analogy. But I think the intention was to describe the network effects and in fact, the framework has really clear specifications around on boarding and authentication and verification. I'm really happy to follow-up with you afterwards, it sounds like you've got some really great questions.

And I can also see lots of hands, and unfortunately, we're out of time. But as I expected this conversation was going to spark a lot of interest, because we're at the beginning of the beginning, in terms of putting down that framework, and as Victoria said, there is more work to do from here. I don't know if it's possible after the break, if you will be here, Victoria, and Lindsay, to answer some more questions? Because I can see there are more questions for us to continue the conversation. But for now, I'm sorry, we need to wrap up and move into the next panel. Thank you very much for the work that is being done.