Bug bounty program, audit regime help secure NSW’s digital licence, minister says

Australia should consider EU-style privacy regime, state’s customer service minister says

Credit: ID 50652981© Ymgerman Dreamstime.com

New South Wales’ digital driver’s licence (DDL) is, in many cases, more secure than physical licences, the state’s customer service minister has said.

“The digital licence, being on your phone, is protected by your passcode, fingerprint, face ID – so if you lose your phone, your digital licence is safe,” Victor Dominello said in remarks prepared for an Australian Information Industry Association (AIIA) event, “And when you find your phone, or get a new one, you can immediately use your digital licence again.”

The DDL went live last week (and enjoyed a somewhat rocky start after a flood of people sought to download digital versions of their licences).

In the first week since it went live, more than 680,000 people have downloaded the DDL, meaning that around 12 per cent of NSW drivers have opted-in.

The licence was subjected to “multiple rounds of security testing and audits,” and Service NSW launched a bug bounty program as part of the DDL development process, Dominello said.

“This allows independent security experts to get hands on with the underlying code and get rewarded for finding areas where the security of our platforms can be further improved.”

“Bug bounties are commonplace in the technology industry and this is one of the first examples of a state government collaborating with the cyber security industry in this way,” the minister said. “Ultimately, it means the people and businesses of NSW get safer access to government services.”

Australian GDPR

Australia should consider strengthening its privacy regime, which could include the potential introduction of a regime similar to the European Union’s GDPR, Dominello said in his speech.

“Given the digital maturity and ambition for our country, there is a strong case to look carefully at what can be done to strengthen the privacy protections for citizens,” the minister said, pointing to the example of the GDPR.

“Getting this right will both protect citizens and better support cross-border trade,” he added. “I have no doubt that it will eventually happen in Australia – but the question is: Will we be on the front foot or the back foot?”

During the alpha and beta phases of the DDL the government had completed three privacy assessments, Dominello said.

The government has put “privacy first in the design of the verification process” for the DDL, with individuals not required to hand their phone to someone checking their licence.

However the “high bar for privacy that we have set for the DDL doesn’t necessarily apply to third party users,” he added. When showing a DDL or physical licence to enter a venue, collect a parcel or for some other use, individuals “need to understand the privacy settings of that third party.”

The DDL rollout was preceded by three trials encompassing more than 20,000 people, beginning with a 2017 pilot in Dubbo, followed by one in Sydney’s eastern suburbs and a third in Albury.

Finally, before being thrown open to the public the DDL rollout was expanded to the 5000 staff of the state’s Department of Customer Service, which Dominello oversees.

Overwhelmingly, feedback from trial participants was positive. The minister said that the government had worked closely with sectors that need to check licences, such as the police and the liquor and gaming industry.

It is a “quirk of history” the driver’s licence has become the cornerstone identity document for individuals, making it a priority focus for NSW’s development of digital infrastructure, Dominello said.

The use cases for the DDL are likely to expand, Dominello said. The minister argued that over the long term, instead of a “driver’s licence” he expects it to evolve into an “opt-in multipurpose NSW Licence.”

“One digital licence that shows your permission to drive - tick, permission to work with children - tick, permission to sell alcohol, and so on,” Dominello said.

“When your details change, you can tell government once, and subject to your express consent, your details will be updated with every agency you grant permission to.

“In this way, when you apply for an additional permit from government to undertake a given activity, your details are filled automatically.”

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentcyber securityNSW GovernmentNew South Wales (NSW)Service NSWsecurityDepartment of Customer Service (NSW)

More about AIIAAustraliaAustralian Information Industry AssociationDubboService NSWUnion

Show Comments