Imagine being able to purchase a phone plan or private health insurance securely online without having to provide multiple documents to prove who you are — or worry your identity could be stolen later on.
Estonia — a small Baltic nation bordering Russia — gave its residents the ability to do just that about 20 years ago when it introduced a single, secure digital ID that could be used to authenticate their identity when accessing government and private services.
Carmen Raal — the digital transformation adviser at government agency e-Estonia — told the ABC its eID's electronic signatures had become virtually ubiquitous.
"There are currently two things you can't do online in Estonia and that's get married and divorced. Everything else is possible," Ms Raal said.
"We don't have any separate health insurance cards. We don't have to carry our driver's licence with us.
"One ID card is enough for everything."
After Australia's recent Optus and Medibank hacks, cyber security experts are looking at more secure ways for Australians to prove who they are.
Estonia's eID allows its citizens to vote online, submit tax claims, check health records, organise prescriptions and use digital signatures, all with a single ID and secret pin number.
It removes the need to remember separate passwords or provide personal documents — such as passports or driver's licences — that can be easily copied and reused.
Ms Raal said Estonia introduced the eID as the country was rebuilding itself after decades of Soviet rule.
With a small population, lots of space and a lack of resources, Estonia needed to find a different way of providing public services to its people, she said.
"We discovered that digitalisation was basically the only way out," she said.
"So digitalisation was able to help us with a lack of resources, helped us to create trust and tackle corruption."
Many other countries have also started implementing digital ID systems.
Belgium has a digital ID called "itsme" which allows individuals to identify themselves, sign documents and confirm transactions securely online through a mobile phone without the need for passwords.
Last year, Germany moved its government-issued IDs online and, in 2020, European Commission President Ursula von der Leyen announced an EU-wide digital identity system.
Better than physical identification
Cybersecurity expert Vanessa Teague said that, while no system was completely secure, digital IDs were better than "flashing your passport number or driver's licence all over the internet".
"The fundamental thing that makes it better than what we're doing in Australia at the moment … is that you aren't leaving a trail of numbers that can be copied and pasted and used to impersonate you," chief executive of Thinking Cybersecurity and an associate professor at ANU Dr Teague said .
Australia has a digital limited ID system, however, Dr Teague said, it didn't go far enough to protect privacy.
"Rather than directly authenticating yourself with your own credentials to whoever you want, to whoever you want to log in to, you're pinging your identity provider and the government identity exchange every time you want to log in somewhere, so you leave this kind of trail everywhere you've been," she said.
The documents used to establish accounts were also stored, presenting a data leakage risk, she added.
The Estonian model, however, isn't without its faults, with number of incidents exposing holes in the system.
In 2020, the government's Data Protection Inspectorate threatened three pharmacy chains with 100,000-euro fines after they let individuals access other people's e-prescriptions without consent.
And, in the same year, a police officer and healthcare worker were fined when they tried to access the police officer's future spouse's e-health records.
However, Arnis Paršovs — a research fellow in cyber security at the University of Tartu — said the Estonian authorities had been proactive in dealing with the issues.
Mr Paršovs said that, in 2017, it was discovered the eID's cryptographic keys had a weakness, making it possible to obtain a private key stored in someone's card without having it.
"These risks … are patched, mitigated and we kind of move forward," he said.
He said that, because Estonia used a single, encrypted id — rather than multiple documents — there had been few high-impact ransomware attacks.
"In Estonia … you just provide the proof that you have access to the private key, the private key never leaves the ID card, or the private key is never known by the party with whom you authenticate," he said.
"You can hack the service provider and they simply don't have these authentication credentials to impersonate me or anyone else.
"But, of course, these service providers do have access to personal data … maybe health information if they are processing health information."
Legislative change for digital IDs needed in Australia
Fergus Hanson — the director of the International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI) — said digital IDs could enhance privacy if they were extended to Australian businesses and individuals, because companies would not have to collect identity data.
However, the government first needed to introduce appropriate legislation.
"It's sort of operating in a legal vacuum at the moment, so I think that's highly problematic and it urgently needs legislation that is designed to protect citizens," he said.
"What we need to do is make them designed to help citizens and make their lives better and safer and more secure."
Digital ID should not be used as an opportunity for surveillance or law enforcement and there had to be ongoing scrutiny of the system, he said.
"The scheme is never going to be perfect … but we've just got to have a process to try [to] identity as many [vulnerabilities] as we possibly can," he said.
Mr Hanson added that a nationwide digital ID system would have to be developed in cooperation with the state and territory governments, because they engaged with their citizens more frequently than the federal government.
"We really need to make sure the states have a stake in this, so that they use this common scheme rather than going off and developing their own schemes — which they're doing at the moment," he said.
