MyGovID ethical, privacy and security problems for ATO Business Portal

I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. Here it is in case it helps to encourage other business owners to speak out.

Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all.


To: Chris Jordan AO, Commissioner of Taxation

Dear Mr Jordan

Due to the major ethical, privacy and security issues with MyGovID and its upcoming compulsory use in the ATO Business Portal, I request that the transition be deferred. This will allow for further review and revisions to MyGovID and the way it is distributed.

As a small business owner, I currently complete my Business Activity Statement, Pay As You Go tax witholding, GST and superannuation payments to employees through the Business Portal. I log in using MyGov (not MyGovID). This approach works very well for me, requiring only an email, password and SMS code.

As you know, login via MyGov is being decommissioned at the end of March 2020 to be replaced by the new MyGovID smartphone app. MyGovID has two major problems. Firstly, all business owners will require an account with either Apple or Google. Secondly MyGovID is proprietary software that business owners are asked to blindly trust and cannot audit.

To download the MyGovID app requires that the business owner register with Apple to access the Apple App Store, or with Google to access the Google Play Store. This typically requires providing full name, date of birth, phone number, address and credit card details. Apple and Google are two of the world's richest companies who's sole responsibility is to their shareholders, not to account holders. While many Australians have already given up their personal information to Apple or Google, we are really only just beginning to understand the implications of these actions. These companies have no place collecting dossiers on Australians or be in a position of trust and power between the Australian Government and its citizens.

MyGovID is proprietary software, which means that the people using it, even technology professionals like myself, have absolutely no knowledge of what it does. We can't tell what information it tracks and collects about us and whether or not it is behaving in our best interests. This is the worst kind of technology — monopoly, non-interoperable technology that we are forced to depend on and must trust on blind faith.

Personally, for ethical, privacy and security reasons I do not have or wish to have an account with either Apple or Google and choose not to use proprietary software. From April I will no longer have access to the Business Portal and will be forced manage my tax obligations by post. For my business this means not having the most up-to-date information about my tax account, spending more time on managing my tax affairs and finding an alternative method to report and pay superannuation.

As a technology professional I'm sympathetic to the challenges of designing a simple and secure online system, let alone one that is responsible for highly confidential information and is rolled out to millions of citizens. This is not easy, but it can} be done without sacrificing ourselves to Apple/Google and without putting unaccountable technology in a position of unjust power over our lives.

How could this situation be improved right now? Firstly, please defer decommissioning the existing MyGov login to allow for further public review. Secondly, please release the source code to the new MyGovID app to the public to allow it to be reviewed and verified by any Australians with the interest and technical expertise to do so. Thirdly, please ensure that the MyGovID app is available for download without requiring registration; for example in an F-Droid compatible repository.

My apologies for the lateness in raising these concern. As a busy sole-trader, it's difficult to allocate time to allocate time to these things. I would be very happy to discuss this matter with you further.

Yours sincerely,

Ben Sturmfels

CC: Catherine King MP, Federal Member for Ballarat

blogroll

FSF member since 2006 Become a Conservancy Supporter! EFF member

social

Powered by Pelican and Python. Theme by Smashing Magazine.