[Updated 16 April 2020 with response from Catherine King MP and ATO. See bottom of this post.]
I've just sent a letter to the Commissioner of Taxation about the
rollout of MyGovID as the only way to log in to the ATO Business Portal. Here it
is in case it helps to encourage other business owners to speak out.
Essentially the ATO is switching off the nice email/password/SMS-code
MyGov login method I use to access the Business Portal to manage
tax/GST/PAYG/super. The are replacing this with login via a proprietary
mobile app called, confusingly, MyGovID. I'm late to the party, with the
changeover due in only a few days time, but better late than not heard
at all.
To: Chris Jordan AO, Commissioner of Taxation
Dear Mr Jordan
Due to the major ethical, privacy and security issues with MyGovID and its
upcoming compulsory use in the ATO Business Portal, I request that the
transition be deferred. This will allow for further review and revisions to
MyGovID and the way it is distributed.
As a small business owner, I currently complete my Business Activity Statement,
Pay As You Go tax witholding, GST and superannuation payments to employees
through the Business Portal. I log in using MyGov (not MyGovID). This approach
works very well for me, requiring only an email, password and SMS code.
As you know, login via MyGov is being decommissioned at the end of March 2020 to
be replaced by the new MyGovID smartphone app. MyGovID has two major problems.
Firstly, all business owners will require an account with either Apple or Google. Secondly
MyGovID is proprietary software that business owners are asked to blindly trust and
cannot audit.
To download the MyGovID app requires that the business owner register with Apple
to access the Apple App Store, or with Google to access the Google Play Store.
This typically requires providing full name, date of birth, phone number,
address and credit card details. Apple and Google are two of the world's richest
companies who's sole responsibility is to their shareholders, not to account
holders. While many Australians have already given up their personal information
to Apple or Google, we are really only just beginning to understand the
implications of these actions. These companies have no place collecting dossiers
on Australians or be in a position of trust and power between the Australian
Government and its citizens.
MyGovID is proprietary software, which means that the people using it, even
technology professionals like myself, have absolutely no knowledge of what it
does. We can't tell what information it tracks and collects about us and whether
or not it is behaving in our best interests. This is the worst kind of
technology — monopoly, non-interoperable technology that we are forced to
depend on and must trust on blind faith.
Personally, for ethical, privacy and security reasons I do not have or wish to
have an account with either Apple or Google and choose not to use proprietary
software. From April I will no longer have access to the Business Portal and
will be forced manage my tax obligations by post. For my business this means not
having the most up-to-date information about my tax account, spending more time
on managing my tax affairs and finding an alternative method to report and pay
superannuation.
As a technology professional I'm sympathetic to the challenges of designing a
simple and secure online system, let alone one that is responsible for highly
confidential information and is rolled out to millions of citizens. This is not
easy, but it can} be done without sacrificing ourselves to Apple/Google
and without putting unaccountable technology in a position of unjust power over our lives.
How could this situation be improved right now? Firstly, please defer
decommissioning the existing MyGov login to allow for further public review.
Secondly, please release the source code to the new MyGovID app to the public to
allow it to be reviewed and verified by any Australians with the interest and
technical expertise to do so. Thirdly, please ensure that the MyGovID app is
available for download without requiring registration; for example in an F-Droid
compatible repository.
My apologies for the lateness in raising these concern. As a busy sole-trader,
it's difficult to allocate time to allocate time to these things. I would be
very happy to discuss this matter with you further.
Yours sincerely,
Ben Sturmfels
CC: Catherine King MP, Federal Member for Ballarat
Update 27 March 2020: Catherine King MP responded very promptly and sent me
a copy of the letter she wrote to Treasurer Josh Frydenberg about the matter on
my behalf.
Update 31 March 2020: I had a lovely call from a person at ATO
responding to my complaint. A couple of things they mentioned:
-
ATO is the first agency to use MyGovID
-
MyGovID has a feedback form so please use it
-
they have received quite a bit of feedback similar to mine
-
there was some form of hard deadline in place around their previous
authentication set up around 10 years ago - sounded like a contract
expiry but I didn't get specifics - may have been just related to AusKey
-
they really didn't know how the transition was going to go - now they
have learned, surprise surprise, for example a bunch of tax accountants
who don't have smartphones - much respect to those accountants!
-
currently the Digital Identity team is only speaking with people who
are having technical difficulties with the app, not people who want to
participate in the upstream process
All in all, they were very empathetic about the ethical issues of
requiring Apple or Google accounts and trust in proprietary tech. If you
can spare a few minutes, this is an important time to be heard and they
are certainly listening.
Update 16 April 2020: A representative of ATO called to suggest that as a sole-trader (not a company),
I can manage activity statements and superannuation through the ATO linked
service on my.gov.au. I tried this and after doing the necessary linking
security questions, I get essentially the exact same functionality I had via the
ATO Business Portal.
This isn't an option for companies though, who are forced to use MyGovID
so that multiple authorised people can access these features on the ATO
Business Portal.
The representative told me that there's no plans to move my.gov.au to
MyGovID login for the foreseeable future.
So that solves my issues for now, but I expect it's only a matter of
time before MyGovID gets more widely rolled out.
