13 million Australians verified their face with a UK company the privacy policy doesn't mention. Researchers said scrap it and start over. $500 million stolen through identity fraud. The only competing provider shut down. By December 2026, banks and telcos join the system.
Digital ID — formerly myGovID, rebranded to myID in November 2024 — is Australia's national digital identity system. Operated by the ATO, it lets 13 million Australians verify their identity online to access 150+ government services including tax, welfare, healthcare, and disability support.[1]
It has four identity proofing levels. The strongest — IP3 ("Strong") — requires a passport, facial verification via a UK biometrics company, and is the only level accepted by Centrelink for online welfare access.[2]
The government has invested over $600 million since 2015.[3]
The myID privacy policy states:
"We do not disclose your personal information to overseas recipients."[4]
The ATO awarded iProov Limited — headquartered in London, UK — a $10.7 million, 3-year contract for facial liveness detection in February 2021.[5]
When automated checks fail, UK-based iProov employees can remotely view biometric images of Australian faces. The OAIC flagged this discrepancy. The privacy policy says no overseas disclosure. A UK company views your face scans.[6]
Both the ATO and iProov were granted an exemption from the TDIF privacy requirement that biometric information must be destroyed immediately. iProov may retain suspicious images for up to 14 days for "performance validation and testing." The ATO's own destruction process was undocumented — a finding the OAIC noted in its assessment.[6]
In May 2025, iProov failed to renew its UK DIATF certification, causing GOV.UK One Login to automatically lose accreditation. This affected 6 million users across 50+ government services. iProov called it a "standard review" where certification was "allowed to lapse."[7]
iProov's own 2025 Threat Intelligence Report found: native camera attacks surged 2,665%, face swap attacks up 300%, and a new attack vector detected December 2024 with "potential to bypass most current remote identity verification systems."[8]
The company trusted with 13 million Australian faces couldn't keep its UK paperwork current, and its own research says the attacks are winning.
Between July 2021 and February 2023, the ATO paid over $500 million to cyber criminals who exploited weaknesses in the myGov identification system.[9]
The attack chain:
Most payments were under $5,000 — small enough to avoid monitoring thresholds.[9]
By 2024, 10,000+ people reported myGov account misuse to IDCARE — double the previous year. Services Australia data breaches involving impersonation surged 330%.[10]
The identity verification system — built to confirm you are who you say you are — couldn't tell the difference between a real person and someone holding their stolen documents. Bank details could be changed without triggering additional checks. Half a billion dollars walked out the door.[9]
In 2020, researchers Vanessa Teague (ANU/Thinking Cybersecurity) and Ben Frengley (University of Melbourne) discovered a code replay attack in myGovID.[11]
The vulnerability: myGovID didn't tell users which website was requesting authentication. An attacker could capture the 4-digit PIN, relay it to the real site, and gain full access to the victim's tax, welfare, and health records.[11]
The ATO told the researchers it was "not a vulnerability" and "a public awareness issue." They refused to patch it.[11]
Teague and Frengley went public. Their recommendation:
"The system should be abandoned and redesigned from scratch." They called for the TDIF to be "dropped and replaced by OpenID Connect" — an open standard used by the rest of the world.[12]
The ATO kept it running.
The Digital ID Act 2024, Section 74:
A relying party "must not, as a condition of providing a service or access to a service, require an individual to create or use a digital ID."[13]
The ATO's terms of use:
"Once you've accessed ATO online services using your myID, you must always access ATO online services using your myID."[14]
One law says voluntary. The other system says permanent. Both are operated by the same government.
Centrelink requires Strong myID (IP3) — which requires facial verification — for online access to welfare services. 48% of Australians don't hold a passport, which is needed for IP3. Approximately 200,000 First Nations people can't reach IP2 because they lack birth certificates.[15]
An app store review: "Can't believe this app is being mandated to everyone to be able to access such essential national services such as ATO and Centrelink."[16]
Digital Rights Watch found that the government conducted "hundreds of millions of identity checks without a legislative framework" — calling it "likely unlawful."[17]
The Digital ID Act only passed in May 2024 and commenced November 2024. Before that:
Australia Post launched its own Digital iD in 2017 — the first privately-operated accredited provider. In April 2026, it shut down. Digital identity consultant Stephen Wilson's verdict: "It's literally a market failure."[19]
Only the ATO and Services Australia remain as accredited identity providers. The government built a marketplace, and the only player left is the government.
iProov can keep your face scan for 14 days — an exemption from the rule requiring immediate destruction. The ATO's own destruction process was undocumented.[6]
iProov's own threat report paints a system under siege:[8]
NIST studies show facial recognition has higher false-positive rates for Asian, African American, and Native American groups.[20]
Professor Toby Walsh (UNSW): "If I was a person of colour I would be very concerned about all the false positives."[21]
The Greens secured a prohibition on one-to-many biometric matching — meaning the system cannot be used for mass facial recognition or surveillance searches. This is a real protection, and it matters.[13]
The Digital ID Act 2024 received Royal Assent on 30 May 2024 and commenced 30 November 2024. It was guillotined through the Senate with no second reading debate or Committee of the Whole process.[22]
27 government amendments and 16 Greens amendments were accepted. One Nation introduced a repeal bill, which failed.[23]
Section 49(3)(a) allows disclosure of biometric information to law enforcement under warrant — AFP, state police, ASIC, Australian Border Force, ATO enforcement, and state anti-corruption commissions.[13]
The identity infrastructure built for tax returns will soon verify you for loans, phone contracts, and property. The scope only ever expands.
The system works best for people who need government services least. If you're elderly, Indigenous, rural, disabled, or a visa holder, the system that's supposed to verify your identity can't verify your identity.
In November 2024, the ATO rebranded myGovID to myID. Cost: $11.5 million.[1]
Scammers exploited the rebrand within days, sending SMS and emails claiming users needed to "reconfirm details." The ATO issued public warnings.[26]
The old confusion — is it myGovID or myGov? — was replaced with new confusion — is it myID or myGov?
The Commonwealth Ombudsman found myGov security was "not adequate" and some staff hadn't asked required security questions.[27]
$11.5 million bought a new name for a system the Ombudsman says isn't secure and researchers said should be scrapped entirely.
| Feature | Australia (myID) | UK (GOV.UK Verify) | Estonia | Singapore (Singpass) |
|---|---|---|---|---|
| Status | Operational, expanding | Failed, replaced | Gold standard | 97% adoption |
| Architecture | Centralised | Federated (failed) | Decentralised (X-Road) | Centralised |
| Citizen audit log | No | Limited | Full — see every access | Available |
| Biometric vendor | iProov (UK) | iProov (lost cert) | National ID card chip | SingPass Face |
| Lock-in | Permanent (ATO) | No | No | No |
| Open source | No | Partially | Yes (X-Road) | Partially |
| Private sector | Dec 2026 | Abandoned | Integrated | 800+ organisations |
| Competitor shut down | Yes (AusPost) | Yes (providers left) | N/A (government run) | N/A |
Estonia lets citizens see every government employee who accessed their records, and officials face criminal penalties for unauthorised access. Australia offers no equivalent transparency.[28]
The UK's GOV.UK Verify spent £305 million, achieved only 3.9 million users vs 25 million forecast, had a 52% abandonment rate, and shut down in 2023. Its replacement — GOV.UK One Login — then lost its certification in 2025 when iProov let it lapse.[29]
| Law | Section | Requires | What myID does | Assessment |
|---|---|---|---|---|
| Privacy Act 1988 | APP 1.4(f)(g) | Disclose overseas recipients + countries | Policy says "we don't disclose overseas." iProov UK staff view biometrics. | Breach |
| Privacy Act 1988 | APP 8.1 + s 16C | Ensure overseas recipients comply. Strict liability. | iProov let UK certification lapse. Granted exemption from destruction rules. | Probable |
| Digital ID Act 2024 | s 74 | Cannot require Digital ID as condition of service | ATO locks users in permanently. Centrelink requires Strong myID. | Under pressure |
| Digital ID Act 2024 | s 48 | Biometric restrictions, express consent | Consent based on privacy policy that falsely denies overseas disclosure. | Probable |
| DDA 1992 | s 6, s 24 | Cannot discriminate in services; covers govt | Facial verification as Centrelink gateway. App crashes exclude disabled users. | Strong case |
| RDA 1975 | s 9 | Acts with discriminatory effect | 200,000+ Indigenous Australians lack birth certificates. NIST shows facial recognition bias. | Strong case |
| ADA 2004 | s 15, s 28 | Cannot impose age-disadvantaging conditions | Digital-only. Half of older Australians never access government services online. | Strong case |