SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

It's time for Kiwis to define the meaning of digital identity in Aotearoa

By Sara Barker
Thu 28 Oct 2021

In late September, the government introduced a new bill to parliament that would fundamentally pave the way to digital identity for citizens in Aotearoa, New Zealand. 

The Digital Identity Services Trust Framework (DISTF) Bill is the brainchild of Minister of Digital Economy and Communications, David Clark. Last week, the bill passed its first reading. So what is it, and what does it stand for?

Digital identity - an overview

Digital identity is any piece of data or information that helps to identify you as a person through digital services, particularly over the internet. For example, most people will have a digital identity linked to their bank account, Inland Revenue login, passport applications, and online shopping.

In May 2021, Clark said that digital identity is a crucial enabler to the overall Digital Strategy for Aotearoa. This strategy strives to turn New Zealand into a 'world class digital nation'. He believes that New Zealand can bank on its reputation as a nation of 'ethical innovators'.

He notes that other countries with mature economies have pegged the value of digital identity between 0.5%-3% of GDP. In New Zealand dollars, that could be between $1.5 billion to $9 billion.

"Whether it's opening a bank account, sharing our medical history, conducting business online, or applying for Government services like the wage subsidy, it's vital we trust the systems we use, and that service providers know what's expected of them."

But, he admits, it has been hard to roll out digital services because there are no consistent standards that govern digital identity.

"Without these solutions, people will continue to face difficulties sharing information about themselves. They are also more exposed to risks including online fraud and other privacy breaches."

The bill is designed to achieve a clear path to identity regulation and information security both for New Zealanders and the broader digital economy.

"We are working closely with our international partners so that New Zealanders' digital identities are recognised overseas, including places like Australia. A trusted modern digital identity system will help grow our digital economy, transform government services and ensure all New Zealanders can take part in the digital world," says Clark.

The business community also feels that the path to digital identity has been anything but straightforward because there isn't enough collaboration, innovation or interoperability within identity services.

We've had government services like the online verification platform RealMe since 2013, there aren't too many examples of strong digital identity services. However, the upcoming COVID-19 vaccine certificate and passport system will be linked to digital identity and the details are yet to be fully explored. 

Clark has a vision in which businesses and individuals can prove more things online, cutting down on paperwork. This is where the proposed legislation comes into play.

A closer look at the Digital Identity Services Trust Framework Bill

The bill aims to take digital identity services further by rolling out requirements for all service providers, both the public and private sectors, who need to use identity verification services as part of their business. The bill works hand-in-hand with the legislation set out in the Privacy Act 2020, and it gives digital identity service providers to opt-in once their systems are ready.

"The Government is committed to enhancing trust and confidence in how organisations handle personal and business identity information. The legislation will ensure that everyone is clear on their rights and obligations," says Clark.

The bill has four aims:

  • To help drive consistency, trust, and efficiency in the provision of digital identity services
  • To support the development of interoperable digital identity services
  • To provide people with more control over their personal information and how it is used
  • To enable the user-authorised sharing of personal and organisational information digitally to access public and private sector services.

According to the government, the bill means that Kiwis can have more trust that their data is protected and private, and it also provides more control over how and when they share their information. And, of course, it aims to provide easier access to digital services from from the public and private sector.

The DISTF bill also aims to boost business efficiency and deliver better, more accurate information with higher trust and lower risk, as well as giving businesses more confidence meet regulations as they invest in digital services.

The government also promises to better detect and prevent security and privacy breaches, deliver better services for citizen-consented information sharing, and provide better alignment with international peers.

A vital part of this is the bill is the Trust Framework (TF) - a set of legislation, rules and regulations that all accredited digital identity service providers must follow. A governance board will be responsible for educating, shaping, and monitoring the framework. Some of these board members need to understand te ao Māori approaches to identity, technology, and identity data management. The board will also work with the Office of the Privacy Commissioner, TF providers, and te ao Māori stakeholders to address identity, technology, and identity data management.

It's early days, but feedback is cautiously optimistic

Supporting the push for digital identity is Digital Identity New Zealand (DINZ), a member consortium of New Zealand technology and other businesses including Air New Zealand, Auckland Transport, Callaghan Innovation, Centrality, Google, IBM, Inland Revenue, The Ministry of Business, Innovation and Employment, the Ministry of Education, The University of Otago, and security firms including Okta and Red Hat, as well as many others.

Collectively, DINZ sees a future in which "people can express their identity using validated and trusted digital means in order to fully participate in a digital economy and society". To do that, a digital identity ecosystem must follow three criteria: It must enhance privacy, it must enhance trust, and it must improve access for all New Zealanders.

When we approached DINZ for this story, several DINZ members contributed their thoughts. However, due to tight deadlines, we quote DINZ in this story based on responses from individual, unnamed members. These responses do not represent a consensus from the membership as a whole.

Overall, feedback on the bill from DINZ members has been positive, but it will need tweaking. That is exactly what the consultation process is designed to achieve.

"It's exciting to see this take shape, and success will come through community and industry collaboration and consultation with government. Several of our members and stakeholders from their organisations took part in the mahi that resulted in the bill's formation. We're eager to keep contributing our members' ideas and experiences to the Select Committee process and what follows from it."

DINZ says the bill is on the right track, although it comes from a more 'government-centric perspective'.

"Some industry observers have already indicated the need for clarity between the role of the regulator providing the guardrails (assumed to be the government) and RealMe's participation in the ecosystem as an identity provider or verifier." 

"It's a small market, RealMe is a dominant player, and the government will be acutely aware of not only the need to separate its own interests, but also be open to suggestions that 'counter-balance' the understandable government-centricity."

That means the DISTF's scope needs to be adaptable and support many different use cases - it can't just be limited to government thinking.

DINZ also wants to encourage national and international service providers to get involved in the bill's consultation to ensure it works from an operational and people perspective. That could mean public-private investment partnerships in a similar vein to the Ministry of Business, Innovation and Employment (MBIE), which seeks assistance from IT professionals to understand what skills and experience potential immigrants in IT need to have.

"Members would like to see reflected in a future relationship between government agencies and the digital identity industry - for example, research, information & education dissemination to the private sector and wider community, perhaps extending to some role in the accreditation/certification function. "

Karaitiana Taiuru, a Māori academic, is at the forefront of Māori data sovereignty advocacy and change.

Taiuru says the bill is a great start and has potential, but it needs comprehensive and transparent consultation with communities, as well as Māori, hapū, iwi and Māori organisations. 

"In te ao Māori, our identity is our whakapapa – the most sacred aspect of all things that we are entrusting to a government framework."

"For those of us who are connected to the internet, it will be great to not have to fill in the same details multiple times in multiple forms and security checks should be a lot easier in addition to greater individual protections against things like fraud."

"I expect this will create a more streamlined process without the need to physically visit government agencies where staff may not have the cultural knowledge to be able to understand needs or provide the best services," says Taiuru.

How the bill wants to incorporate te ao Māori, values and culture

If there is one thing that sets this bill apart from other countries' digital identity systems: It considers how te ao Māori approaches to identity are considered in trust framework governance and decision making.

David Clark remains committed to ensuring that the digital identity system reflects Māori perspectives.

"Put simply, identity means different things to different people and cultures. That's why, my officials are engaging extensively with iwi to deliver this framework in a way that supports tikanga Māori."

DINZ believes it could be a once-in-a-lifetime opportunity to create a people-centric system underpinned by Te Tiriti (The Treaty of Waitangi) and indigenous values. Not only does it bring a Māori worldview to a discussion about digital identity and the country as a digital nation, but it also opens a door to other values and principles that represent who and what Aotearoa, New Zealand means for all communities.

"It's also important for Māori to be empowered to have Kāwantanga (governance) and Rangatiratanga (self-determination) regarding their digital identity. So it was good to see this aspect explicitly focussed on. Identifying oneself in terms of one's whakapapa, sensitivities and acknowledging 'rangatiratanga' in Article 2 of the Te Tiriti o Waitangi are all woven into the fabric of Māori culture."

"Consider the case of identity-related information form fields when enrolling with a service provider online today. Do they take these factors into account? One of the clearest themes emerging from hui on the digital strategy is that trust in digital services is earned by actively co-creating with communities on these services' design, delivery, and accountability mechanisms. 'Everything happens at the speed of trust.'

However, Taiuru notes, "The COVID-19 lockdowns are a reminder to some that Aotearoa, New Zealand still has a digital divide that primarily consists of Māori and Polynesian families and other low socio-economic groups as well as the elderly and some rural communities. My primary concern is for those in the digital divide and the potential to miss out on government services and benefits."

"At first glance, there are a lot of positives to the Bill, and we are increasingly seeing Māori and Te Tiriti being considered into new legislation and bills. Te Ao Māori perspectives have been partially included and the opportunity for genuine co-design and some other Te Tiriti principles are recognised. However, I would have preferred to see a much wider acknowledgement and protection to Māori rights to data including the recognition of tikanga Māori/Māori philosophies than what is currently in the draft bill."

Taiuru believes that the government has missed an opportunity to recognise and legislate for Māori Data Sovereignty Principles.

"Some of the Te Tiriti principles are included in the Trust Framework principles, but not all, and they are not clearly identifiable. The principles do not mention Māori data sovereignty, even in the te ao Māori approaches to identity principle."

"The principles need some major rethinking from a te ao Māori perspective, and the principle should explicitly state that Māori data is a taonga. Instead, it will be left to Māori to at some stage make a Waitangi Tribunal claim to have Māori data recognised as a taonga."

"There is also no mention of the United Nations Declaration on the Rights of Indigenous Peoples, despite it being very relevant here and little consideration of the ongoing consultations of WAI 262 in the Waitangi Tribunal."

Taiuru also touches on another issue that the bill does not clarify: data storage, particularly in cases where data is stored overseas and subject to other countries security and privacy laws.

"It would be beneficial to have it legislated that the data would be stored in New Zealand, recognising Māori Data Sovereignty principles," argues Taiuru.

This brings up an important point about the role of Māori data sovereignty, which is a multi-faceted topic in its own right. It needs to be weaved into any conversation about digital identity.

Taiuru highlights the potential for issues around data use and misuse if the government requires all personal information to be in one place.

"There are risks of passport and driver licence photos being used and then for facial recognition, noting the current biases for Māori and Polynesians. There is also the risk that at some stage further bioinformatics such as Guthrie Cards could be sequenced for DNA and added to the system, noting this would be the safest way to prove the identity of an individual and their family."

"Births Deaths and Marriages are consulting about whether to use Māori individuals' iwi and hapū information on birth certificates. This just adds another complex layer of potential discrimination and Māori identity issues to a government that has intergenerationally not been trusted by Māori."

Trust, data use (and potential misuse) are valid concerns, which leads to another point - how data is used and protected.

What this all means for cybersecurity

As with any discussion about digital identity, there are important questions to be raised about cybersecurity, data privacy, and preventing potentially life-destroying issues such as identity theft and security breaches. The Trust Framework (TF) rules call for minimum security and risk requirements - namely, "ensuring that information is secure and protected from unauthorised modification, use, or loss". 

 DINZ says cybersecurity is a 'moving target' as attackers go after data at rest, and in transit. On top of that, legitimate businesses are trying to find new ways to use data they've already collected.

"People will need to be able to trust digital systems with their identities. They will need to see robust measures to monitor, notify, and remedy potential abuses of data inside any service provider's system. They will also need to know about specific social risks related to personal identification information such as biometric data capture. Further, the potential abuse of consent within personal relationships and guardianships should also be catered for."

Those participating in the TF must also analyse those within the digital identity scheme based on ensuring security, confidentiality and privacy of their information. That means those joining the scheme will be analysed based on their information and data security. If there are holes in these areas, likely, they would not be accredited.

In cases of identity fraud, economic loss, physical, or emotional harm caused by a TF provider, the TF authority could issue a public warning. However, in the event of security breaches, the TF authority won't post details of any vulnerabilities because people could exploit them.

DINZ also points to potential discrepancies and service levels between providers who adopt the TF within their businesses, and providers that choose not to.

"It's a delicate balancing act between raising the bar high enough to achieve trust through security and privacy, without unduly compromising levels of adoption by service providers in sufficient numbers to ensure the DISTF's success."

"Overseas there are examples of non-accredited/certified service providers typically with significant brand presence having higher adoption rates than accredited/certified service providers. It's in Aotearoa New Zealand's interest to see global brands that already operate here and those that are yet to arrive, be accredited/certified."

DINZ continues, "The interoperability with other Trust Frameworks and standards in force internationally is acknowledged in the bill. This is typically done as a series of mappings that help assessors determine the relative conformance of a service provider's service accredited/certified to one Trust Framework to another, such as the DISTF."

"Developing and maintaining these mappings helps international service providers by reducing the incremental time and cost for compliance with an additional Trust Framework - whether it is international seeking to operate in New Zealand, or a local business seeking to operate internationally. This is another area where members are keen to discuss industry's operational knowledge and experience."

Submissions for the DISTF bill close at 11PM on Thursday, 2nd December 2021. More information here.

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
CISOs need to consider a risk-based cybersecurity strategy
Rather than talking in terms of attack vectors and vulnerabilities, CISOs and security decision-makers must look at actual business risk.
Story image
Claroty research unveils new attack that targets PLCs
Claroty has released research detailing a new type of cyber-attack, one that weaponises programmable logic controllers (PLCs).
Story image
Data Protection
Safeguarding your financial data
As the digital revolution marches on, managing data security has never been more important. Here are five important steps to take toward better financial data security.
Story image
Email scams
HelpSystems shines light on impact of response-based threats
Response-based attacks targeting corporate inboxes have climbed to their highest volume since 2020, representing 41% of all email-based scams.
Story image
Lacework launches new capabilities for better threat detection
Lacework has announced new capabilities that enable organisations to uncover more critical threats to their infrastructure and empower teams.
Story image
Avast reveals zero-day exploits targeting Chrome and Microsoft
Avast, released its Q2/2022 Threat Report today, revealing a significant increase in global ransomware attacks, up 24% from Q1/2022.
Story image
Education sector seeing highest volumes of cyber attacks
When breaking down the numbers to education attacks by region in July 2022, A/NZ was the most heavily attacked.
Story image
Cloud and data protection big challenges for NZ businesses
"This surge towards a cloud-first approach meant security and safety became afterthoughts - there's no point being the fastest car on the racetrack if you crash.”
Story image
Data analytics
Pressure on orgs to up their data analytics game - study
A recent report from Sisense highlights data transmission, analysis, and risk management remain top concerns for data professionals in APAC.
Story image
New Zealand cloud provider challenges Google's claims on data control for region
A Wellington cloud services provider says Google's claim it will offer New Zealanders complete control over their own data is not true.
Story image
Cloud Security
Tenable makes additions to Cloud Security portfolio
Tenable has announced additions to Tenable Cloud Security that represent the next step in assessing threats related to cloud vulnerabilities.
Story image
Avast One extends protection with Online Safety Score
Avast One has extended its cross-platform support by adding its Online Safety Score feature to both the Mac and iOS platforms of Avast One.
Story image
How well do rangatahi understand cyber safety in Aotearoa?
Do rangatahi in Aotearoa understand the importance of being safe online, or has lifelong exposure to the internet resulted in widespread complacency?
Story image
Ministry will no longer accept equipment from Chinese firm Hikvision
The Ministry of Business, Innovation and Employment (MBIE) says it will no longer accept equipment from a major Chinese surveillance camera maker.
Story image
High level of Customer Identity & Access Management adoption
The study from Okta revealed that the pandemic has either accelerated or highlighted the need for digital-first strategies.
Story image
How to increase the success rate of business data projects
Amid changing economic conditions and uncertainties about supply chains and staff availability, it's never been more important for New Zealand organisations to be innovative.
Story image
Machine learning
Sysdig releases CDR offering to combat cryptojacking
Sysdig has unveiled a cloud detection and response (CDR) offering powered by machine learning to combat cryptojacking.
Story image
Why security needs to shape your journey to the cloud
It's estimated that 80% of workloads could be in the cloud in the next few years. How can you make all that data secure?
Story image
Cyber attacks
Dramatic uptick in threat activity with exploits growing nearly 150%
"While it’s not a surprise given increased attack opportunities like remote work, it’s still a worrying development and one we cannot ignore."
Story image
Can biometrics help? 123% increase in Gen Zs scammed online
In the three years leading up to 2022, the number of Gen Zs who fell victim to online scams rose by 123%, according to Ping Identity.
Story image
Attacks on gaming companies more than double over past year
The State of the Internet report shows gaming companies and gamer accounts are at risk, following a surge in web application attacks post pandemic.
Story image
Privileged Access Management / PAM
The importance of stopping identity sprawl for cybersecurity
The 2021 Data Breach Investigations Report (DBIR) shows that 61% of all breaches involve malicious actors gaining unauthorised, privileged access to data by using a compromised credential. Unfortunately, it is often too late when the misuse of a credential is detected.
AWS Marketplace
Learn how security orchestration, automation, and response (SOAR) enhances your security strategy.
Link image
Story image
Dynatrace extends application security capabilities for runtime environments
Dynatrace has announced that it has extended its Application Security Module to detect and protect against vulnerabilities in runtime environments.
Story image
Dark web
Beware the darkverse and its cyber-physical threats
A darkverse of criminality hidden from law enforcement could quickly evolve to fuel a new industry of metaverse-related cybercrime.
Story image
Organisations exposing highly sensitive protocols to public internet
More than 60% of organisations expose remote control protocol SSH to the public internet, while 36% of organisations expose the insecure FTP protocol.
Story image
Gartner Magic Quadrant
Gartner names Lookout a Visionary in 2022 Magic Quadrant
Gartner has recognised Lookout as a Visionary in the 2022 Magic Quadrant for Security Service Edge (SSE) and one of the top three offerings in the 2022 Gartner Critical Capabilities for SSE report.
Story image
Web application firewall
Radware recognised in KuppingerCole’s 2022 Leadership Compass report
Radware has been named a Product, Innovation, Market and Overall Leader in the 2022 KuppingerCole Leadership Compass report for Web Application Firewalls.
Story image
Why enhancing bot protection for web and API endpoints matters
The trouble with bots is that they aren’t all bad. Unfortunately, this can make it challenging to detect malicious bots that find their way into your system and threaten your business.
Story image
Why printing security plays a vital part in keeping Aotearoa safe
While internet printing, mobile printing and other similar technologies have no doubt made things easier to manage, it has also brought a whole new set of problems to the table.
Story image
Data Protection
Zero Trust, but verify - finding the OT in ZerO Trust
The move to remote and cloud-based technologies has shifted the goalposts for cybersecurity. It now needs to cover multiple people, devices, platforms, and networks.
Story image
NZ program recovers and recycles more than 177 tonnes of e-waste
The TechCollect NZ pilot program says its milestone of recovering and recycling more than 177 tonnes of ICT e-waste recognises the efforts of many.
Story image
Data Protection
VMware introduces advanced workload protection for AWS
VMware Carbon Black Workload for AWS delivers comprehensive visibility and security across on-premises and cloud environments for AWS customers.
Story image
Palo Alto Networks responds to rise in threats with MDR service
Unit 42 Managed Detection and Response is a new service that can offer continuous 24/7 threat detection, investigation and response.
Story image
Latest VMware threat report reveals truth about deepfakes
"Cyber criminals have evolved. Their new goal is to use deepfake technology to compromise organisations and gain access to their environment."
Story image
Dicker Data
Dicker Data brought on as Acronis partner for A/NZ
The news about the partnership comes in as cyber criminals continue to exploit gaps in traditional solutions and strategies in NZ and across the APAC region.
Story image
Google Cloud
Google Cloud to open first cloud region in NZ - among others
Google Cloud has announced plans to bring three new cloud regions, one each in New Zealand, Malaysia and Thailand.
Story image
Research shows attacks on the gaming industry are getting worse
Web application attacks in the gaming sector have grown by 167% from Q1 2021 to Q1 2022, according to new research from Akamai.
Story image
Artificial Intelligence
Exclusive: NZ-based DEFEND offers global cyber protection
DEFEND supports customers in 66 countries across the globe with a relentless focus on ensuring that every dollar spent on security provides a meaningful return on investment and reduces cyber risk.
Story image
Mandiant researchers uncover significant new disinformation campaign
Researchers from Mandiant say they have uncovered a significant disinformation campaign from the Chinese Government in the wake of U.S. Speaker Nancy Pelosi's visit to Taiwan.
Story image
Datacom research explores reality of zero trust in A/NZ
Zero trust is fast emerging as global best practice in cybersecurity and local leaders are on board, with 83% considering it essential to security.