← Government App
D

myID / Digital Identity

Serious concerns
Australian Government · 🇦🇺 Australia
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: myID
Manufacturer: Australian Government (DTA)

⚠️ The bottom line

$500 million in fraud despite biometric verification. Criminals scanned stolen documents, created myGovID accounts, and accessed the tax system — because "strong identity verification" accepted scans of someone else's passport. The biometric step confirms you're holding a phone. It doesn't confirm you're the person on the document. To prove you're Australian, you scan your face. That scan goes to iProov, a British company subject to UK surveillance laws. Where your biometric template is stored, who can access it, and whether GCHQ could compel disclosure — the Australian Government won't say. Your face, outsourced to a foreign jurisdiction.

Legal jurisdiction
🇦🇺 Australia (headquarters)
Assistance and Access Act read more →
Govt can force companies to build backdoors in encryption — and gag them from telling you
Metadata Retention read more →
ISPs and telcos must store 2 years of your connection data for law enforcement
Spying
4/4 EXTREME
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
4Contradictions
1Critical
2High
1Medium
4Sources
Findings by concern
Spying 4/4 EXTREME 4 findings
⚠️ criticalmarketing vs regulatory
$500 million in fraud despite biometric verification. Criminals scanned stolen documents, created myGovID accounts, and accessed the tax system — because "strong identity verification" accepted scans of someone else's passport. The biometric step confirms you're holding a phone. It doesn't confirm you're the person on the document.

What they claim: myGovID provides "strong" identity verification to prevent fraud

What we found: Despite myGovID's biometric verification, the ATO reported $500 million in identity fraud in 2022. Criminals bypassed the system by creating fraudulent myGovID accounts using stolen identity documents, then linking them to myGov to access ATO services. The system's "identity proofing" process could be completed with scanned documents rather than requiring physical document verification.

⚡ highmarketing vs third party research
To prove you're Australian, you scan your face. That scan goes to iProov, a British company subject to UK surveillance laws. Where your biometric template is stored, who can access it, and whether GCHQ could compel disclosure — the Australian Government won't say. Your face, outsourced to a foreign jurisdiction.

What they claim: myGovID described as a secure Australian Government digital identity

What we found: The biometric verification for myGovID is provided by iProov, a UK-based company. Australian citizens' facial biometric data is processed by a foreign corporation subject to UK surveillance laws including the Investigatory Powers Act 2016. The Australian Government has not disclosed where iProov stores or processes biometric templates of Australian citizens.

⚡ highmarketing vs third party research
Cybersecurity researchers told the government to scrap its digital ID approach entirely — calling it "technically unsound." They warned the system creates a centralised biometric honeypot: one breach and every Australian's face is compromised. Unlike a password, you cannot change your face. The government proceeded anyway.

What they claim: Digital Identity system promoted as secure, convenient, and world-leading

What we found: A group of Australian cybersecurity researchers wrote to the government recommending it "scrap the current approach" to digital identity, calling it "technically unsound." The researchers warned the centralised biometric model created a honeypot target and that the legislation provided insufficient safeguards against function creep.

⚫ mediummarketing vs regulatory
There used to be two options: myGovID and Australia Post's Digital iD. The government shut down the competition, leaving one system, one biometric provider, no choice. If you don't trust iProov with your face, your alternative is to queue at a government office. Choice and convenience — as long as you choose what they give you.

What they claim: Government promotes myGovID as the national digital identity solution offering choice and convenience

What we found: Australia Post's Digital iD was shut down, leaving myGovID as the only government digital identity option. The decision eliminated competition in the digital identity market and forced all Australians requiring digital identity verification into a single system with a single biometric provider (iProov). Users of Digital iD had to re-enrol in myGovID.

Sources