05 March 2014

DVS 2.0

In 2010 the Australian National Audit Office strongly criticised implementation of the national Document Verification Service (DVS), envisaged as a secure online service enabling real-time verification by Commonwealth (and state/territory) government agencies or core identity documents such as birth certificates, passports, visas and drivers licenses. Last month the DVS was quietly made available to the private sector, inc over 17,000 organisations.

The Service is now to be 'enhanced'.

In 2012 a report [PDF] on a Privacy Impact Assessment regarding the DVS became available under the Freedom of Information Act. It is regrettable but unsurprising that the Attorney-General's, facing ongoing and substantive criticism about the operation of the DVS and concerns regarding use by the private sector, should have hidden that light under a bushel.

Indications of community consultation regarding the DVS have not been fulfilled. It is unclear whether the enhancement preempts consultation and reflects criticism by entities such as the Australian Privacy Foundation [PDF] regarding both substantive problems with the existing DVS and concerns about ongoing function creep.

The PIA indicated that
The identity verification requirements for private sector organisations arise, for example, under legislation and related regulations:
  • in the financial services sector under various provisions such as those found in the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1), the Superannuation Industry (Supervision) Regulations 1994 and the Credit Reporting Code of Conduct made under the Privacy Act
  • in the telecommunications sector, under regulations made under subsection 99(1) of the Telecommunications Act 1997, carriage Service Providers and their retailers are required to collect and verify their customer’s identity and address information 
  • in the transport sector Individuals wishing to work in secure aviation or maritime zones need to apply for an Aviation Security Identification Card (ASIC) or a Maritime Security Identification Card (MSIC). Applicants need to provide documents to prove their identity and Australian citizenship or residency. ASIC and MSIC cards are only issued after the issuing body has established the applicant’s identity and background checks are conducted as required under the Aviation Transport Security Regulations 2005 made under the Aviation Transport Security Act 2004, and the Aviation Transport Security (Consequential Amendments and Transitional Provisions) Act 2004 and the Maritime Transport and Offshore Facilities Security Regulations 2003 made under the Maritime Transport and Offshore Facilities Security Act 2003
It goes on to note that
it is common practice in the private sector for identity documents that are provided by an individual to be largely accepted at face value. Documents are routinely copied by organisations and the copies are retained in hard or scanned form. 
An organisation may seek additional documentation where it is not satisfied that the individual has established his/her identity to a sufficient level. This might include manual, or in some cases online (through subscription to the document issuers’ database), verification of personal information. Manual document verification by an organisation of papers presented to it involves the organisation forwarding personal information to the document Issuer Agency by mail, fax, email or transcribing it over the phone. The Issuer Agency will then undertake a manual search of its registers and usually respond with a copy of the document or additional supporting detail about the applicant. Online verification can involve for example, CertValid (the Certificate Validation Service), which verifies Birth, Marriage and Change of Name Certificates issued by State and Territory Registries, or the Visa Entitlement Verification On-line service, which is operated by the Department of Immigration & Citizenship to allow organisations to verify visa details. 
Organisations in the finance sector have recourse to other service providers such as credit reference agencies to undertake checks on their behalf. In 2009, the Anti-Money Laundering Magazine identified the public and proprietary data sources used to conduct checks:
  • The Australian Electoral Roll, 
  • Sensis White Pages, 
  • Department of Immigration and Citizenship, 
  • Department of Foreign Affairs and Trade watchlists, 
  • Australia Post Postal Address file, and 
  • Proprietary databases such as historical white pages, an online public number directory derived from Telstra’s Integrated Phone Number Directory and other in-house credit reference data.
A number of organisations providing identity verification services also include “data-scraping” as part of the services they offer. A form of web harvesting, data-scraping obtains validations of client data from a service agency’s public-facing internet facilities by: 
  • encouraging a client to provide authentication details and logon data into an online account or service portal, and 
  • running third-party systems that can observe and register the results of that transaction. A successful login is then recorded as successful client verification and sold onto a client organisation.