SENATOR THE HON GEORGE BRANDIS QCATTORNEY-GENERALMINISTER FOR THE ARTSADDRESS AT THE OPENING PLENARY OF THECeBIT AUSTRALIA 2014 CONFERENCE
SYDNEY 5 FEBRUARY 2014IntroductionI would like to begin by thanking the organisers of CeBIT Australia for the opportunity to speak at what is one the pre-eminent events that brings together representatives from business, government and the broader community to discuss developments in technology that are central to Australias future.It almost goes without saying to an audience like this that information technology is the key enabler of just about all aspects of life in the 21st century. Unfortunately, it is also a key enabler of crime and other security threats. In todays world, the protection of our IT systems and the information that they contain is an important priority for all governments, as it is for the private sector and the broader community at large. As the minister in the Australian government responsible for national security, I am committed to continuing to strengthen the governments engagement with business to ensure all Australians have trust and confidence when transacting online that their identities arwill be secure.One of the key elements of this work is the effort to combat cybercrime which has been estimated to cost Australia around $1 billion each year. Delegates to CeBITs Cyber Security Conference will no doubt hear more about these issues later today. I would like to focus on one aspect in particular, and that is the issue of digital identity. This is one of the best examples of an issue that is important both to law enforcement and cyber security on the one hand, and privacy and digital productivity on the other.The term identity theft was first coined, apparently, in 1964, but the origins of identity crime date back much further in fact they are recorded in the Old Testament.In the Book of Genesis Jacob assumes his brothers identity, by providing false symbols of his brother Esaus character to their blind father Isaac, in order to receive a blessing that was intended for Esau.Fast forward from Biblical times to almost 10 years ago and identity security is acknowledged as a priority by all Australian governments.The National Identity Security StrategyIn September 2005 the COAG Special Meeting on Counter-Terrorism agreed to develop a National Identity Security Strategy to combat identity crime and to better protect the identities of Australians. Thisstrategy was later formalised by an intergovernmental agreement signed in April 2007.The 2005 COAG decision also included the establishment of a national Document Verification Service to combat the misuse of false and stolen identities. This service was first funded by the then Government in the 2005-06 Budget and has since received a total of $30 million of Commonwealth funding.The National Identity Security Strategy was established with a strong law enforcement and national security focus. This is because identity crime can be used to facilitate all manner of serious crimes such as money laundering, drug trafficking and even terrorism.An example of identity theft is what is known as tombstone fraud. Those of you who are familiar with The Day of the Jackal may recall how the terrorist the Jackal assumed the identity of a dead person to evade detection by authorities.Despite greater use of technologies such as biometrics and other improvements in our identity security arrangements, the methods used by the Jackal are still available to criminals today. The growth of online genealogy research services can make it even easier to obtain the information needed to commit tombstone fraud, without actually needing to visit a cemetery.In 2011 a Sydney man was convicted of a range of offences in which he used fraudulent identities - obtained through tombstone fraud - not only to facilitate drug trafficking, but also to sell to his criminal associates who were involved in an outlaw motor cycle gang.Identity crime is rated by the Australian Crime Commission as a key enabler of serious and organised crime which in turn costs Australia an estimated $15 billion annually.In terms of broader impacts on the community, identity crime is also now one of the most prevalent crime types in Australia.Today I can announce the results of an identity crime survey conducted last year by the Australian Institute of Criminology.This survey asked 5,000 people about their experiences of identity crime and misuse. It disclosed a number of important findings: 9.4 per cent of respondents suffered the theft or misuse of their personal information in the previous 12months. 1 in 5 people reported misuse of their personal information at some time during their life. 5 per cent of respondents suffered financial losses as a result of identity crime. The average loss was over $4,000 per incident; ranging from $1to over $300,000 in the most serious case. Victims also suffered significant non-financial impacts: Victims spent an average of 18 hours dealing with the consequences of identity crime and more than 200 hours for victims of a total identity hijack 11 per cent of victims experienced mental or physical health problems requiring counselling or other treatment, and 6 per cent of victims said they were wrongly accused of a crime.These findings should be a call to action for us all and not just to redouble our efforts to combat identity crime.They are also a reminder of the importance of maintaining appropriate security in the online world in which Australians are spending increasing amounts of their time whether this be working, studying, shopping, socialising or any of the myriad other things that we can now do online. Verified Online IdentitiesAside from the direct impacts on victims of identity crime, traditional approaches to managing identity crime risks can create unnecessary burdens on business and citizens more broadly.This is particularly the case when transacting online. The question of identity is now central to establishing the confidence that is needed to facilitate a range of on-line transactions. But its becoming increasingly accepted that traditional approaches to managing identities online are, to put it bluntly, broken. Many of us know the joys of having to remember multiple passwords.Recent research by the Australian Communications and Media Authority from 2013 indicates that the average Australian maintains between 5and 50 different login and password combinations to manage their online lives.Not only are passwords open to exploitation by criminals, they are increasingly inefficient.Its been estimated that password problems take up between 20 and 30 per cent of all IT service desk calls. And that the annual cost of password resets alone is around $1 billion globally. So there is significant scope for savings for business, government and our customers - if we can improve our management of online identities.A recent study by the Secure Identity Alliance and Boston Consulting Group estimated that e-Government services, enabled by trusted digital identities, are set to yield an estimated $50 billion in annual global savings by 2020.Many governments around the world have recognised that establishing a system of trusted digital identities can not only help stimulate the digital economy, but also help to prevent identity related crime. New Zealand has established its RealMe service in which citizens can use a trusted government-issued identity credential to access a range of government and private sector services. Other governments are engaging the private sector even more closely in these efforts. For example, under the UKs Identity Assurance Programme accredited private sector identity providers offer citizens a choice of digital identity credentials that they can use to access government online services.At the last election the Coalition committed, in its E-Government and Digital Economy Policy, to working with the private sector in developing a national approach to verifying identities online. And earlier this year the Prime Minister jointly agreed with the NewZealand Prime Minister to investigate the mutual recognition of trusted online identities.The Document Verification Service (DVS)Australias Document Verification Service, or DVS, was originally conceived in 2005 as a tool to support law enforcement and national security outcomes; however it is fast becoming a vital enabler of the digital economy.The DVS enables organisations to verify information on government identity documents such as driver licences, passports and Medicare cards back to the issuing agency.DVS checks are conducted via a secure online system, providing a Yes/No response in 1-2 seconds. Privacy considerations are at the forefront of the DVS design. Thesystem is not a database; it does not store any personal information. All DVS checks must be done with the informed consent of the person involved. There are 20 or so government agencies that issue and manage the 50million or more government-issued documents that are the foundations of our national identity infrastructure. The DVS is used by an increasing number of these agencies.Id like to acknowledge the role of the NSW Government as being a leader in DVS use among state and territory jurisdictions. But government agencies are only part of our national identity infrastructure.
The private sector issues a greater number of identity documents, such as credit and debit cards, which are often used to prove identity. Business also performs a range of other important identity security functions, such as the work of the banks in the prevention of money laundering. DVS private sector accessThe government is working closely with the states and territories and the business community to expand DVS access amongst Australias private sector - the engine room of our digital economy. Im pleased to announce that the DVS commercial service is now operational. While still early days, there has been strong interest in the service: over160 private sector applications have been approved the service now has 23 active private sector users the first few thousand private sector transactions have been completed.Private sector use of the DVS is largely focused on companies in the financial and telecommunications sectors.The DVS makes it easier for banks to detect money laundering using fake identities. It makes it easier for mobile phone providers to check the identities of people purchasing prepaid SIM cards to help prevent criminals using these phones to mask their activities. And it also helps ensure the accuracy of telephone account information used for important public functions like emergency warnings.The DVS is also an important part of the Governments efforts to reduce the red tape burden on business by minimising compliance costs that can flow from these important regulatory obligations. DVS use for pre-paid mobiles has been estimated to achieve time and cost savings of well over 50 per cent, compared to other manual processes for verifying customer identities.Future directionsThe Government is working with the states and territories to further expand DVS access amongst the private sector. This includes businesses with identity verification requirements under state and territory legislation, such as e-conveyancing, electricity distribution and working with children checks. There is also a broader range of businesses which may also find it reasonably necessary to use the DVS, in accordance with the PrivacyAct, to help verify identities of their staff or customers. Discussions with industry have already shown that DVS access is helping to drive innovative new online business models and services, built around promoting trusted digital identities.Having appropriate privacy safeguards is important for maintaining public trust and confidence in the system. The DVS is a clear demonstration that privacy and security need not be mutually exclusive in the online environment: in many cases they can and should be mutually supportive. The Australian Government looks forward to reaching agreement with the states and territories over the coming months on new arrangements for expanding private sector access to the DVS. ConclusionIn highlighting the importance of identity security, let me conclude by emphasising that Australians retain the right, enshrined in the Privacy Act, to act anonymously in a wide range of situations. Governments and business need to respect this right by only requesting the verification of a persons identity when they have a reasonable need to do so and then only to the degree required by the transaction.Similarly, governments and business should be able to confirm a persons identity when they have a need to do so to have confidence that the person is who they claim to be online. As I said a moment ago, the need for identity security and the right of privacy are not mutually exclusive, and are indeed complimentary objectives. Tools like the DVS are important enablers of the digital economy, and are also a key part of national efforts to combat identity crime one of the most prevalent crime types in Australia.During the course of your conference, I encourage you to reflect on the importance of trusted digital identities over what promises to be a series of stimulating discussions on cyber security, e-government, digital economy and related issues over the coming days. And I wish you well with what Im sure will be a successful, stimulating and consequential conference.ENDS