Hostname: page-component-745bb68f8f-g4j75 Total loading time: 0 Render date: 2025-01-31T02:55:47.839Z Has data issue: false hasContentIssue false
  • English
  • Français

Digital Citizenship and the Right to Identity in Australia

Published online by Cambridge University Press:  24 January 2025

Clare Sullivan
Clare Sullivan*
Affiliation:
School of Law, University of South Australia, Campus West, George Street, Adelaide, South Australia, Australia 5000
*
T: 61 8 803020308. Email: clare.sullivan@unisa.edu.au.
Get access Rights & Permissions [Opens in a new window]

Abstract

Australia has announced the need to review the distribution of responsibility among individuals, businesses and governments, as a consequence of the move to digital citizenship. Australia has formally framed the issues in these terms and has opened dialogue between government and citizens regarding responsibilities for the use and protection of digital identity.

This article examines digital citizenship in Australia and considers the implications for individuals, government and the private sector of the requirement for an individual to use his/her digital identity for transactions. The features and functions of digital identity are examined, and the consequences for individuals, business and government of system failure are considered. The analysis shows that, while there are consequences for all, individuals are most affected.

The author argues that the traditional approach of relying on privacy for protection is inadequate in these circumstances. Privacy, by its nature, cannot adequately protect the part of digital identity which is required for transactions. The argument presented is that, unlike privacy, the right to identity can protect the set of digital information required for transactions. Considering the new system is literally being imposed by government, the inherent vulnerabilities of the system, and the consequences of system failure for individuals, formal recognition of the right to identity is an essential element of accountable and responsible governance. Whilst in time the right to identity in this context may be recognised by the courts, the author argues that legislative recognition and protection of an individual's right to digital identity is needed now as a key component of the distribution of responsibility in this new digital era.

Type
Research Article
Information
Federal Law Review , Volume 41 , Issue 3 , September 2013 , pp. 557 - 584
Copyright
Copyright © 2013 The Australian National University

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 The new scheme being rolled out in India is the most recent example of a comprehensive scheme, see iGovernment, India plans multi-purpose national ID card for citizens (24 August 2010) iGovernment http://www.igovernment.in/site/india-plans-multi-purpose-national-id-card-for-citizens?page=1>.

2 A transaction is any dealing for which an individual is required to use digital identity. A transaction may be between an individual and a government department or agency or with a private sector entity if that is permitted under the scheme, and can range from an enquiry to a contract. This article focuses on the consequences for individuals, i.e. natural persons.

3 As one commentator observes in relation to identity, much legal doctrine obscures the salience of identity qua identity, though when confronted directly with the issue, the law does give substance to the importance of identity.’ See Richard R.W. Brookes ‘Incorporating Race’ (2006) 106 Columbia Law Review 2023, 2097.Google Scholar

4 Digital identity is all the information digitally recorded about an individual, i.e. a natural person that is accessible under the particular scheme. ‘Information’ includes ‘data.'

5 As Andrew Feenberg observes, this is the ‘substantive impact’ of technology. See Andrew Feenberg, Critical Theory of Technology (Oxford University Press, 1991) 5. See also, Cockfield, Arthur and Pridmore, Jason, ‘A Synthetic Theory of Law and Technology’ (2007) 8 Minnesota Journal of Law, Science and Technology, 491.Google Scholar

6 For a detailed discussion of the legal nature of transaction identity, see Sullivan, Clare, ‘Digital Identity – The ‘Legal Person'?’ (2009) 25 (2) Computer Law and Security Review 227.CrossRefGoogle Scholar

7 Australian Government, Connecting with Confidence: Optimising Australia's Digital FutureA Public Discussion Paper (Department of Prime Minister and Cabinet, 2011).Google Scholar

8 Ibid. The scheme is now well underway, its foundations being laid primarily through Medicare, the national health care scheme covering all registered Australians and eligible residents. In June 2010, e.g. the Coalition supported the Labor Government's proposal to compulsorily assign (with some minor exceptions) a 16 digit individual identifier to every Australian resident on the Medicare database on July 1, 2010. In relation to this Australian Individual Healthcare Identifier ('IHI’) which has been assigned to Australians, see the Office of the Privacy Commissioner <privacy.gov.au> at September 11, 2010.

9 Australian Government, Connecting with Confidence, above n 7, 10.

10 Ibid.

11 An example is an individual who has a credit card for personal use in the name John Smith which is billed to his home address and another card even from the same credit card company for business transactions in the name of Dr J M Smith billed to his work address and to which a different customer number and PIN is assigned.

12 This is a feature of similar schemes in other countries. It is a stated feature of the new national identity scheme being rolled out in India and it was a feature of the scheme planned for the United Kingdom and extensively documented. See Information Commissioner's Office, The Identity Cards Bill – The Information Commissioner's Concerns (June 2005) Information Commissioner's Office <http://www.ico.org.uk/upload/documents/library/corporate/detailed_specialist_guides/id_cards_bill_-_ico_concerns_may_2005.pdf>.

13 Other than in exceptional cases such as gender re-assignment, for example, the information that is most commonly subject to change is surname, mainly for women in the event of marriage.

14 In some schemes such as those in Europe and Asia identifying information includes biometrics, as well as a head and shoulders photograph. The usual biometrics are 10 fingerprints, two iris scans and a face scan.

15 The 16 digit individual identifier assigned to every Australian resident on the Medicare database on July 1, 2010. See, the Office of the Privacy Commissioner <privacy.gov.au> at September 11, 2010.

16 Note that this is the way these terms i.e. authentication and verification, are defined for the purposes of a national identity scheme. Authentication and verification are often misused in describing the functions of transaction identity.

17 Definition of ‘authenticate’ in the Merriam-Webster Dictionary <http://www.merriam-webster.com/dictionary/authenticate>. The Concise Oxford Dictionary defines ‘authenticate’ as ‘establish the truth of; establish the authorship of; make valid'. See, Concise Oxford Dictionary (Oxford University Press, 12th ed, 2011).Google Scholar The Macquarie Dictionary (Macmillan, 6th ed, 2013) similarly defines ‘authenticate’ as ‘to establish as genuine'. The Merriam-Webster Dictionary defines ‘authenticity as ‘worthy of acceptance or belief as conforming to or based on fact'; ‘conforming to an original so as to produce essential features’ and, interestingly, ‘true to one's own personality, spirit or character'. The latter meaning is significant in relation to the right to identity, which is examined later in this article.

18 Photograph is distinguished from a face scan. A face scan is a biometric. In schemes that use a face scan, the scan is not used to verify identity for all transactions. Many transactions only involve matching the appearance of the person with the photograph.

19 Concise Oxford Dictionary (Oxford University Press, 12th ed, 2011). The Concise Oxford Dictionary also defines ‘identify’ as to ‘treat (thing) as identical with; associate oneself inseparably with (party, policy, etc); establish identity of’ (emphasis in original). The Macquarie Dictionary defines ‘identify’ as ‘to recognise or establish as being a particular person or thing; attest or prove to be as purported or asserted.’ See, Macquarie Dictionary above n 17.

20 This is so even in countries that have implemented schemes that use biometrics. Whilst the primary role of the identifying information is to link an individual to transaction identity, in high level, high value transactions biometrics may be required as part of transaction identity.

21 ‘Verify’ as used in these schemes accords with its definition in the Merriam-Webster Dictionary: ‘to establish the truth, accuracy, or reality of <verify the claim>', Merriam Webster Dictionary <http://www.merriam-webster.com/dictionary/verify>.

22 Such as name, date and place of birth as well as with signature, photograph and biometrics; but bear in mind that not all transactions will use all the identifying information. Routine transactions may only require matching photo or signature. Many low value transactions, such as those using the new Paywave technology, do not require a signature or photo check.

23 The information may be presented remotely and even automatically using computer programming, without any active involvement by an individual at the time of a transaction, though of course some human involvement is required at some stage.

24 However, passports, particularly biometric passports, are now very close to transaction identity in functionality.

25 Derham, David, ‘Theories of Legal Personality’ in Webb, Leicester C. (ed), Legal Personality and Political Pluralism (Melbourne University Press, 1958) 1, 14.Google Scholar

26 In a study in which supermarket cashiers compared real people, not known to them, to photographs on the credit cards they presented, only 50 per cent accurately accepted or rejected the cards. When the card contained a photograph resembling the person presenting it, only 36 percent of the cashiers correctly rejected the card. See, Kemp, Richard, Towell, Nicola and Pike, Graham, ‘When Seeing Should Not Be Believing: Photographs, Credit Cards and Fraud’ (1997) 11(3) Applied Cognitive Psychology 211.3.0.CO;2-O>CrossRefGoogle Scholar Research also shows that individuals are better at recognising and discriminating own-race versus other-race faces. On this topic, see Walker, Pamela and Hewstone, Miles, ‘A Perceptual Discrimination Investigation of the Own-Race Effect and Intergroup Experience’ (2006) 20(4) Applied Cognitive Psychology 461CrossRefGoogle Scholar and Hancock, Kirsten and Rhodes, Gillian, ‘Contact, Configural Coding and the Other–Race Effect in Face Recognition’ (2008) 99 British Journal of Psychology 45.CrossRefGoogle ScholarPubMed See also Kersholt, Jose, Raaijmakers, Jeron and Valeton, Mathieu, ‘The Effect of Expectation on the Identification of Known and Unknown Persons’ (1992) 6 Applied Cognitive Psychology 173CrossRefGoogle Scholar, and Stevenage, Sarah and Spreadbury, John, ‘Haven't we Met Before? The Effect of Facial Familiarity on Repetition Priming’ (2006) 97(1) British Journal of Psychology 79.CrossRefGoogle ScholarPubMed

27 For example, the accepted error rate for automated facial scanning is 10 percent, although advances in technology are reducing error rates and an error rate of two percent has been reported in Australia under controlled conditions. That 2 percent error was achieved in trialling Smartgate at Sydney airport using Qantas crew. Lighting conditions in the building were modified to improve facial recognition, users were given special training, and the system was used daily to scan a relatively small group of recurring faces. Templates stored by the system and used for comparison were also updated daily. See: London School of Economics and Political Science and the Enterprise Privacy Group, ‘The Identity Project: an Assessment of the UK Identity Cards Bill and its Implications’ Interim Report, March 2005, 49. Similarly, the error rate for fingerprint matching is generally considered to be relatively low, although the exact error rate is now unclear. Until recently, fingerprint evidence was regarded as having a zero error rate. That claim is now disputed and courts in the United States, the United Kingdom and Australia have rejected fingerprint evidence as unreliable. See Simon Cole, ‘More than Zero, Accounting for Error in Latent Fingerprint Identification’ (2005) Journal of Criminal Law and Criminology 985, 999. See also ‘Finger of Suspicion’ on Panorama 19 May 2002 <bbc.co.uk> at 29 May 2006, and Four Corners 23 September 2002 <abc.net.au> at 10 May 2006. Fingerprint evidence has been rejected on the basis of error in matching prints rather than on the basis of their uniqueness. See Zabell, Sandy, ‘Fingerprint Evidence’ (2005) 13 Journal of Law and Policy 143, 167, 169.Google Scholar

28 For a detailed analysis of the contractual implications see Sullivan, Clare, ‘Digital Identity and Mistake’ (2012) 20 International Journal of Law and Information Technology, 223.CrossRefGoogle Scholar

29 All the identifying information typically used has acknowledged error rates. Comparison of appearance to a photograph, a method commonly used to verify identity, has the highest error rate if there is not a history of personal acquaintance. Biometrics including a handwritten signature, fingerprints and face scans are not infallible. Errors, including false positives, can arise. Moreover, system malfunction can result in reading errors, recording errors including incorrect linking of information. For a more detailed discussion of the fallibilities of identifying information, including biometrics, see Clare Sullivan, Digital Identity: An Emergent Legal Concept (University of Adelaide Press, 2011), ch 4.

30 The other person may use an individual's identity accidentally such as by inadvertently keying in incorrect information, though these instances would be comparatively rare.

31 The leading High Court of Australia decision is Australian Broadcasting Commission v Lenah Game Meats (2001) 208 CLR 199 ('Lenah’) in which, in their joint judgment, Gummow and Hayne JJ were careful to leave open the possibility of recognising an Australian tort of privacy but the development of a tort for invasion of privacy in Australia remains uncertain at the time of writing. See Lenah (2001) 208 CLR 199, 258.

32 See particularly the Australian Privacy Principles.

33 See European Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 221 (entered into force 3 June 1952) art 8.

34 See, eg, Criminal Law Consolidation Act 1935 (SA) s 144.

35 For a detailed discussion of the these offences, see Sullivan, Clare, ‘Is Identity Theft Really Theft?’ (2009) 23 International Review of Law, Computers and Technology 85.CrossRefGoogle Scholar

36 As it does in South Australia, for example; see, Criminal Law Consolidation Act 1935 (SA) ss 5 (definition of ‘property’), 85(3).

37 Neethling, Johann, Potgieter, J and Visser, P, Neethling's Law of Personality (Lexis Nexis, 2nd ed, 2005) 36.Google Scholar

38 Ibid.

39 Ibid 37.

40 Ibid 36.

41 As does the Data Protection Act 1998 (UK) c 29. The Data Protection Act 1994 (UK), on which the current version is based, was the model for the Australian privacy legislation when it was first enacted. The Data Protection Act 1998 (UK) replaced and consolidated earlier legislation and aimed to implement the Council Directive 95/46/EC of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L 281/31 (‘European Data Protection Directive’).

42 For a more detailed discussion of this point, see Sullivan, Clare, Digital Identity (University of Adelaide Press, 2010).Google Scholar See also LoPucki, Lynn M, ‘Did Privacy Cause Identity Theft?’ (2002) 54 Hastings Law Journal 1277Google Scholar; LoPucki, Lynn M, ‘Human Identification Theory and the Identity Theft Problem’ (2001) 80 Texas Law Review 89.Google Scholar

43 [2003] EWCA Civ 1746 [30].

44 The English legislation is framed in terms of data, whereas the Australian privacy legislation refers to information. The definitions in both statutes cover both data and information.

45 The Court of Appeal was influenced by the fact that Durant was attempting to obtain information previously denied to him as part of the discovery process during litigation, and on the basis of the need to protect third parties. See also Data Protection Act 1998 (UK) s 7(4).

46 See, Neethling, Potgieter and Visser, above n 37, 37.

47 It is doubtful whether there is any circumstance in which unilateral interference with, or removal of, identity can be justified.

48 If the individual is prevented from using his or her transaction identity for all transactions, however, that would, in effect, be a denial of his or her right to identity under the scheme.

49 See, eg, Witness Protection Act 1994 (Cth) ss 11, 19.

50 The right to privacy is generally considered to be extinguished by death.

51 Convention on the Rights of the Child, opened for signature 20 November 1989, 1577 UNTS 3 (entered into force 2 September 1990). The convention was the first international treaty to cover a full range of civil, political, economic, social and cultural human rights in one document.

52 Ibid art 16(1) states that, ‘[n]o child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation.’ Article 16(2) states that, ‘[t]he child has the right to the protection of the law against such interference or attacks.'

53 Ibid art 8(1) (emphasis added). Article 29(1)(c) which deals with the education of the child also mentions identity; but it is identity in a different context and in a narrower sense — cultural identity.

54 Ibid art 7(1) provides that ‘the child shall be registered immediately after birth and shall have the right from birth to a name, the right to acquire a nationality and, as far as possible, the right to know and be cared for by his or her parents'.

55 However, protections under the convention only apply to children.

56 See Sharon Detrick, The United Nations Convention on the Rights of the Child: A Guide to the “Travaux Préparatoires” (Martinus Nijhoff Publishers, 1992) 292. The original proposal was, ‘the child has the inalienable right to retain his true and genuine personal, legal and family identity. In the event that a child has been fraudulently deprived of some or all the elements of his identity, the State must give him special protection and assistance with a view to establishing his true and genuine identity as soon as possible. In particular, this obligation of the State includes restoring the child to his blood relations to be brought up.'

57 See Avery, Lisa, ‘A Return to Life: The Right to Identity and the Right to Identify Argentina's “Living Disappeared“’ (2004) 27 Harvard Women's Law Journal 235.Google Scholar Their campaign resulted in Argentina recognising a constitutional right to identity and adopting an open adoption system.

58 Opened for signature 4 November 1950, 213 UNTS 221 (entered into force 3 September 1953).

59 Ibid. Compare Charter of Fundamental Rights of the European Union [2000] OJ C 364/01, art 7, which is entitled ‘Respect for private and family life’ and simply states that, ‘[e]veryone has the right to respect for his or her private and family life, home and communications.'

60 [2003] All ER 255.

61 Ibid [57] citing PG and JH v United Kingdom ECHR [2001] IX. Eur Court HR (emphasis added). See also Von Hannover v Germany [2005] 40 EHRR 1, [50] where the European Court stated that: ‘[t]he Court reiterates that the concept of private life extends to aspects relating to personal identity, such as a person's name … or a person's picture … ‘.

62 Reich, Charles, ‘The Individual Sector’ (1990) 100 Yale Law Journal 1409.CrossRefGoogle Scholar

63 Ibid 1442.

64 Ibid 1409.

65 Peck [2003] All ER 255, [57].

66 The European Court has also observed in relation to art 8 that ‘effective deterrence against grave acts … where fundamental values and essential aspects of private life are at stake, requires efficient criminal law provisions'. See MC v Bulgaria (2005) 40 EHRR 20, [150]. This case concerned a rape that occurred in a domestic situation but the sentiments of the court can apply to any grave act where fundamental rights are at stake. The full statement made by the court is that:

[p]ositive … obligations on the State are inherent in the right to effective respect for private life under Article 8: these obligations may involve the adoption of measures even in the sphere of relations of individuals between themselves. While the choice of the means to secure compliance with Article 8 in the sphere of protection against acts of individuals is in principle within the State's margin of appreciation, effective deterrence against grave acts such as rape, where fundamental values and essential aspects of private life are at stake, requires efficient criminal law provisions. Children and other vulnerable individuals, in particular, are entitled to protection. (emphasis added)

67 Mabo v Queensland (No 2) (1992) 175 CLR 1, 42 (Brennan J).

68 The Reform Act was the culmination of a comprehensive privacy law reform process, which began almost 20 years after the Privacy Act was first introduced in 1988. Most of the changes come into force on 12 March 2014. A criticism of the Privacy Act prior to this amendment was that the Information Commissioner (formerly the Privacy Commissioner) did not have any real power in relation to serious privacy breaches. The Reform Act increases the Commissioner's powers to proactively monitor, investigate and enforce breaches of the Act with the assistance of the Federal Court.

69 There is no clear indication that the full consequences of the scheme for individuals have been considered.

70 See, Australian Government, Connecting with Confidence, above n 7, 10.

71 Ibid.