National Document Verification Service Project (DVS)
Is this the biggest privacy threat this year? If so, nominate it for a Big Brother Award!
Current Status
The Australian Government’s national identity security strategy has various projects hanging off it, one of which is the Document Verification Service (DVS).
[See also the related National ID Card project, also known as the ‘Human Services Access card’ or national ‘smartcard’, which is intended to use the DVS as part of its registration process.]
The DVS has been described as an online service “to check the validity of proof of identity documents against the issuing agency”. The DVS project is therefore about rooting out the problem of fake foundation documents, such as the fake driver’s licence or birth certificate, which are then used to apply for a passport or for social security benefits.
The DVS was initially funded as a pilot project during 2005-06. However in the May 2006 federal budget, a further $28.3 million was allocated to the DVS, to roll it out on a national basis. Very little information about the DVS is available publicly, and no independent Privacy Impact Assessment has been done. Any internal privacy impact assessment, or evaluation of the pilot (if either has even been done), has not been published.
From what we understand to date about the DVS, its strength could be in its support for a dispersed identity model (rather than following a centralised population register model – i.e. the national ID card model), and secondly because it is apparently intended to work in a way to minimise privacy intrusions.
We think the DVS system itself is supposed to be ‘blind’ and to hold no data; the agency being asked to verify its document does not know the identity of the organisation asking the question; and the questioning agency is only given a minimal yes/no response.
But that’s only how we think the DVS will work – we don’t actually know the details. Nor, it would seem, did the government officials who appeared before a Senate Committee last year to explain the project. In a perfect example of poor policy decision-making, it was stated that “the details will be worked out as we build (the DVS)”.
We’re not exactly sure which agencies are involved either.
In May 2005 the Australian Attorney General’s Department claimed before the Senate that the prototype / pilot project would involve only DIMIA, DFAT, Austroads, and the NSW, Victorian and ACT registries of Births, Deaths & Marriages.
But the NSW Privacy Commissioner’s website suggests otherwise – in December 2005 he gave an exemption from the NSW privacy legislation to the NSW Roads and Traffic Authority to participate in a DVS pilot between 30 November 2005 and 30 June 2006. That exemption was extended in July 2006 for a further 12 months, to 30 June 2007.
The other projects under way under the auspices of the national identity security strategy, according to the government, include:
- “the development of a common range of proof of identity documents which government agencies will be able to use to identify clients who register with them for services”
- “the identification of appropriate security standards on those key proof of identity documents”
- “the identification of key data matching elements to improve the integrity of identity information held on existing government databases”; and
- “authentication of individuals accessing services”
Some of the questions we ask of DVS and its sister national identity security strategy projects are:
- what is the cost of the problem? (best estimate to date is A$1 billion p.a. is the cost of identity fraud in Australia)
- what will be the cost of the strategy’s projects to address the problem? (is the response proportional?)
- how will each project work, and which agencies and what personal information is actually involved?
- what impact will each of the strategy’s projects have on the problem? (will it make a positive net impact on identity fraud and theft?)
- what consideration has been given to alternative designs or ways of addressing the problem, in order to lower the cost and/or minimise privacy and other risks?
- how might other projects, like a Medicare smartcard, a Human Services Card, a unique national patient identifier or a national ID card, undermine the effectiveness of the strategy?
[See also the related National ID Card project, also known as the ‘Human Services Access card’ or national ‘smartcard’, which is intended to use the DVS as part of its registration process.]
Unfortunately not everyone seems on board the national identity security strategy yet. The message about tackling identity fraud through dispersed identity rather than centralised identity is not getting through – and as a result we risk making the problem worse.
Resources
- 29 August 2006 – Attorney General Philip Ruddock launches the Privacy Commissioner’s guide to conducting Privacy Impact Assessments, and says: “By conducting a Privacy Impact Assessment, government agencies will be able to take into account the community’s expectations about privacy protection, and reflect those in a project. This is something we should strive for”
- 22 May 2006: Attorney-General’s Dept publishes brief information about the NISS (National Identity Security Strategy)
- 9 May 2006: Govt announces funding for DVS of $28.3 million
- 12 December 2005 : NSW Privacy Commissioner gives exemption from privacy law to Roads & Traffic Authority to participate in DVS pilot
- 12 July 2005, at the 4th Homeland Security Summit, “Safeguarding Australia 2005”, Canberra:
- Attorney-General Phillip Ruddock speaks about DVS and the national identity security strategy, see paras 49 to 56 (12 July 2005, paper)
- APF Chair Anna Johnston speaks about the strengths and limitations of DVS (paper and slides)
- Australian Privacy Commissioner Karen Curtis also addressed DVS (paper)
- 23 May 2005 : Miles Jordana, Deputy Secretary in the Australian Attorney-General’s Department, attempts to explain the DVS project to a Senate Committee (see pages 121-134)
- 10 May 2005 : Attorney-General Philip Ruddock announces budget for National Security Strategy
- 14 April 2005 : Australian Government announces National Security Strategy
- 9 March 2005 : Attorney-General Philip Ruddock replies to our letter about the DVS, noting the feasibility study conducted on the DVS is not available for public release, but promising that a Privacy Impact Assessment will be done “at the relevant time”
- 3 February 2005 : APF writes to Privacy Commissioner, about the DVS
- 3 February 2005 : APF writes to Attorney-General Philip Ruddock, about media reports about the DVS
Media Releases
- 21 January 2005 : APF Media Release on Document Verification System