Tuesday, 20 October 2020

myGovID and Government's perception of privacy

Recently, the Australian Government has been pushing its myGovID as the way it would like us, Australians, to authenticate ourselves before the government. To use the government's own words, "myGovID is the Australian Government’s Digital Identity".

Our government's record in IT systems speaks for itself, from the good old CensusFail of 2016 through Robodebt and the more recent COVIDSafe app: general disrespect for public privacy, but worse - lack of understanding of basic security concepts that put the public safety at risk. If it's evidence that you seek to support this supposedly provocative statement of mine, just watch this video where an expert discusses how the COVIDSafe app relies on a Bluetooth vulnerability in order to function (if you can use that word, given the app's track record), thus putting Australians at risk. That's just that one example; I picked the most recent.

I was therefore rather intimidated upon discovering, the other day, that I am forced to use myGovID if I seek to potentially make a living out of my profession of choice.

The first thing I did was teach myself how myGovID is meant to work. The concept behind it is simple: one installs the myGovID app on one's smartphone. The first thing the app would ask you for is an email address and a password to associate with your account. Next thing it does is scan your identification documents (e.g., driver's licence) into the app in order for you to prove who you claim to be.

Once enough of these have been verified, you can start using myGovID for what it was meant to do: when visiting an online government service that uses myGovID for authentication (tax services, in my case), instead of the normal logging in using an email address and password that we're accustomed to, one simply provides the email address they supplied their myGovID app. A notification is immediately sent to the smartphone app, which - when called upon - provides the smartphone user with a 4 digit number. Type that number into the government website you are trying to access (on whatever device you happen to use), and you're logged in.

It's all nice on paper, but what actually happens when one installs the app on one's phone?

Well, the first thing to happen to me was a long wait. Eventually, after about 30 eternity like seconds or so of an unresponsive screen, I got the following:

I "killed" the app and went through the same motions again, only to get the exact same result. It was obvious the app was trying to do something that it was prevented from doing.

My first instinct turned out to be the correct one. My home wifi uses a Pi-hole, a little contraption whose purpose it is to block ads and trackers from ever getting through my network. Think about it as a the ad blocker you're running on the browser you're using to read this right now (and if you don't use an ad blocker, what are you waiting for?), only one that filters the entire network rather than merely a specific browser. According to my network's statistics, some 7% of traffic is thus blocked on my network, a pretty significant number given all my browsers utilise ad blockers of their own.

I checked to see what it is that the myGovID app was trying to do while the Pi-hole intervened, and found the following 2 internet connection targets:

Allow me to translate the above for you:

Basically, the first thing that the myGovID app tries to do is contact Google, and it tries to do so in a couple of ways. The app won't even start if it doesn't manage to establish such contact.

Specifically, myGovID tried to connect to Google's device provisioning, which is part of what most people know as Google Analytics. Google Analytics is probably Google's most prolific online tracking tool, used by 87% of the internet's top 100,000 websites: the website (or, in our case, app) gains all manner of analytics on how users are using the site, while - in parallel - the world's biggest advertising company, Google, gathers personal information on the people using the website (for example, the user's IP address, from which a location can be derived; and, more importantly, information that can be further tied what Google already knows about the device and/or its user). Google Analytics is, thus, a major player in Google's juggernaut operation of collecting as much data as it can about people for the purpose of targeting them with ads.

The other attempted connection made by the myGovID app was to Google's Firebase. Just like any other facility offered by Google, Firebase is a useful service, especially to app developers, who can use the platform for all manner of things ranging from user authentication to data storage. And just like any other facility offered by Google, Firebase does its thing while collecting end user information and tracking them and their devices (for the usual purpose, Google's bread and butter product of targeted ads).

Long story short, once I bypassed my own ad and tracking protector, the Pi-hole, the myGovID app started working and functioned as intended. The scanning of my ID documentation proved unreliable, and the handling of the resulting errors was less than elegant, but I got over that.

So, where am I heading with this long story?

My point is rather simple. If you were to read the myGovID privacy policy (let me help you, it's here), you will not find any mentioning of it sharing data with third parties (which is what Google is; the main two parties are you and the government). If anything, the privacy policy states that

We will not share your personal information with third parties including the document issuer, the identity exchange and the online services you attempt to access, without your consent.

Yet the myGovID app does share some data with a third party. And the app definitely does so without my consent, not even my forced consent, given data is shared with Google before anything else takes place within the app.

The point is, myGovID's violates its own privacy policy. And in doing so, our government is effectively saying that not only doesn't it care about our privacy, it doesn't even recognise Google for what it is: an advertising company that makes its fortune by, as is the case here, abusing the personal information of people who were coerced into using an online tool.

Australians should know where their government stands when it comes to their wellbeing. And as is the case here, Australians should be aware that their government does not care much for their privacy, to the point of not caring when it comes to violating its own policies.

One last thing: I'd like to finish things off with an anecdote.

You might remember that the Australian Government was criticised for using an American company (namely, Amazon AWS) for storing the contact data of COVIDSafe app users, thus potentially allowing foreign access to the detailed movements of Australian citizens. The government came back with several excuses to explain why it did what it did; you can read them for yourself (here) and decide whether it did the right thing.

I will simply point at the following:

  1. No such discourse ever took place with regards to myGovID. The public never got an opportunity to ask whether allowing Google into our digital identity (which is a big thing, actually) is the right thing to do.
  2. In my opinion, the arguments raised by the government to explain why AWS was a good fit for COVIDSafe do not apply to myGovID. There are plenty of good companies out there that offer similar facilities to Google's, for a start; and in the case of myGovID, the speed of deployment was not a factor.
All of which is pointing at our government being rather lazy when it comes to picking IT solutions. Australians will continue to pay the price for this mediocrity.

No comments: