Digital ID expansion: a flawed system rushing to scale

By Rob Mellett

Data privacy experts and civil liberties advocates warn that Australia’s November 2026 expansion of its digital identity system risks entrenching serious, unresolved privacy failures at national scale.

From 30 November, private sector organisations – including commercial banks, telecommunications companies, and law firms – will become eligible to apply for integration into the Australian Government Digital Identity System (AGDIS). The federal government has allocated more than $630 million to support the rollout, primarily targeting upgrades to the my.gov.au platform.

John Pane, Chair of Electronic Frontiers Australia (EFA), is not impressed. Where a former treasurer once called the platform a Lamborghini sitting in the garage, Pane says it is ‘more like a 1970s Lada Niva’. The money, he argues, is being spent patching a structurally compromised foundation rather than building something fit for purpose.

Participation in AGDIS remains voluntary – a provision EFA lobbied hard to enshrine in the Digital ID Act 2024. But Pane warns that voluntary in law doesn’t mean voluntary in practice. Without a digital identity, individuals risk being viewed with suspicion by banks and government agencies, creating a de facto two-tiered system that disadvantages older Australians, people in remote areas, and anyone without a robust digital footprint.

The controversy deepens around the Age Assurance Technology Trial (AATT). Pane resigned from the trial’s Stakeholder Advisory Board last year, citing a fundamentally compromised assessment process. The board, he notes, was stacked with child advocacy voices – people predisposed to support any policy restricting minors’ online access. The result was predictable: the 1,000-page final report concentrated on what Pane calls the ‘happy path’ of technology implementation, deliberately avoiding tests of how easily the tools could be circumvented.

There were troubling technical findings buried in the report. Age estimation tools showed a measurably higher error rate around the 15–16 age bracket, producing false negatives that blocked legitimate users from passing age gates. Those users were pushed into exception workflows – typically emailing copies of passports or birth certificates to third-party contractors. In the United Kingdom, Discord outsourced its exception process to an external handler; within two weeks of the Online Safety Act taking effect, that contractor suffered a breach exposing more than 70,000 user records.

As for the kids who simply wanted through: one bypassed Discord’s biometric authentication by pasting a video game character’s head over his own face. He was passed.

The pattern is familiar. When US states mandated age verification on adult content sites, Pornhub geo-blocked them entirely, driving a surge in VPN adoption. Prohibition redirected the problem; it didn’t solve it. Pane advocates instead for digital civics, ethics, and online literacy embedded throughout the school curriculum from primary level.

Perhaps the most underreported risk sits at the infrastructure layer. Technology vendors routinely pitch locally hosted data centres as evidence of data sovereignty. But local hosting is not the same as local jurisdiction. Under the US CLOUD Act, the American government retains legal authority to compel any US corporation to produce data stored on foreign servers. Such requests are issued under non-disclosure orders by Foreign Intelligence Surveillance Act courts, leaving Australian citizens and regulators entirely unaware.

The case of Oracle sharpens the concern. The company markets its cloud infrastructure to both the UK and Australian governments as secure and sovereign. Yet Oracle recently settled a class action – Cats and Lacab et al v. Oracle America – for $115 million. The suit centred on Oracle’s ID graph: a proprietary marketing product that compiled data from its CRM and identity management tools into a database of approximately five billion consumer records. Oracle’s assurances of anonymisation, critics argue, were undermined by the system’s ability to re-identify individuals.

‘Localisation doesn’t equal sovereignty,’ Pane said. ‘And given Oracle’s activities in the data brokering space in the US, one wonders how permeable the wall really is.’