MyGovID ethical, privacy and security problems for ATO Business Portal

[Updated 16 April 2020 with response from Catherine King MP and ATO. See bottom of this post.]

I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. Here it is in case it helps to encourage other business owners to speak out.

Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all.


To: Chris Jordan AO, Commissioner of Taxation

Dear Mr Jordan

Due to the major ethical, privacy and security issues with MyGovID and its upcoming compulsory use in the ATO Business Portal, I request that the transition be deferred. This will allow for further review and revisions to MyGovID and the way it is distributed.

As a small business owner, I currently complete my Business Activity Statement, Pay As You Go tax witholding, GST and superannuation payments to employees through the Business Portal. I log in using MyGov (not MyGovID). This approach works very well for me, requiring only an email, password and SMS code.

As you know, login via MyGov is being decommissioned at the end of March 2020 to be replaced by the new MyGovID smartphone app. MyGovID has two major problems. Firstly, all business owners will require an account with either Apple or Google. Secondly MyGovID is proprietary software that business owners are asked to blindly trust and cannot audit.

To download the MyGovID app requires that the business owner register with Apple to access the Apple App Store, or with Google to access the Google Play Store. This typically requires providing full name, date of birth, phone number, address and credit card details. Apple and Google are two of the world's richest companies who's sole responsibility is to their shareholders, not to account holders. While many Australians have already given up their personal information to Apple or Google, we are really only just beginning to understand the implications of these actions. These companies have no place collecting dossiers on Australians or be in a position of trust and power between the Australian Government and its citizens.

MyGovID is proprietary software, which means that the people using it, even technology professionals like myself, have absolutely no knowledge of what it does. We can't tell what information it tracks and collects about us and whether or not it is behaving in our best interests. This is the worst kind of technology — monopoly, non-interoperable technology that we are forced to depend on and must trust on blind faith.

Personally, for ethical, privacy and security reasons I do not have or wish to have an account with either Apple or Google and choose not to use proprietary software. From April I will no longer have access to the Business Portal and will be forced manage my tax obligations by post. For my business this means not having the most up-to-date information about my tax account, spending more time on managing my tax affairs and finding an alternative method to report and pay superannuation.

As a technology professional I'm sympathetic to the challenges of designing a simple and secure online system, let alone one that is responsible for highly confidential information and is rolled out to millions of citizens. This is not easy, but it can} be done without sacrificing ourselves to Apple/Google and without putting unaccountable technology in a position of unjust power over our lives.

How could this situation be improved right now? Firstly, please defer decommissioning the existing MyGov login to allow for further public review. Secondly, please release the source code to the new MyGovID app to the public to allow it to be reviewed and verified by any Australians with the interest and technical expertise to do so. Thirdly, please ensure that the MyGovID app is available for download without requiring registration; for example in an F-Droid compatible repository.

My apologies for the lateness in raising these concern. As a busy sole-trader, it's difficult to allocate time to allocate time to these things. I would be very happy to discuss this matter with you further.

Yours sincerely,

Ben Sturmfels

CC: Catherine King MP, Federal Member for Ballarat


Update 27 March 2020: Catherine King MP responded very promptly and sent me a copy of the letter she wrote to Treasurer Josh Frydenberg about the matter on my behalf.


Update 31 March 2020: I had a lovely call from a person at ATO responding to my complaint. A couple of things they mentioned:

  • ATO is the first agency to use MyGovID

  • MyGovID has a feedback form so please use it

  • they have received quite a bit of feedback similar to mine

  • there was some form of hard deadline in place around their previous authentication set up around 10 years ago - sounded like a contract expiry but I didn't get specifics - may have been just related to AusKey

  • they really didn't know how the transition was going to go - now they have learned, surprise surprise, for example a bunch of tax accountants who don't have smartphones - much respect to those accountants!

  • currently the Digital Identity team is only speaking with people who are having technical difficulties with the app, not people who want to participate in the upstream process

All in all, they were very empathetic about the ethical issues of requiring Apple or Google accounts and trust in proprietary tech. If you can spare a few minutes, this is an important time to be heard and they are certainly listening.


Update 16 April 2020: A representative of ATO called to suggest that as a sole-trader (not a company), I can manage activity statements and superannuation through the ATO linked service on my.gov.au. I tried this and after doing the necessary linking security questions, I get essentially the exact same functionality I had via the ATO Business Portal.

This isn't an option for companies though, who are forced to use MyGovID so that multiple authorised people can access these features on the ATO Business Portal.

The representative told me that there's no plans to move my.gov.au to MyGovID login for the foreseeable future.

So that solves my issues for now, but I expect it's only a matter of time before MyGovID gets more widely rolled out.

links

social