Every Australian's gateway to welfare, healthcare, and tax — tracked by five American corporations, protected by terms that wouldn't survive a consumer tribunal if a private company wrote them, and run on a platform the government's own auditor says is unprepared for a cyber attack.
myGov is the Australian Government's single sign-on portal. Run by Services Australia, it connects 26 million Australians to 21 government services including Centrelink (welfare), Medicare (healthcare), the ATO (tax), NDIS (disability support), My Health Record, Child Support, and the National Redress Scheme for survivors of institutional child sexual abuse.[1]
If you want to lodge a tax return, check your Medicare claims, apply for JobSeeker, access your health record, or manage your NDIS plan online — you go through myGov.
The government says using it is voluntary.[2]
"Using myGov, including through the myGov mobile application (the app), and accessing your online linked services is voluntary."[2]
On 23 March 2020, Australia went into lockdown. 725,000 people tried to access Centrelink through myGov in a single day to claim JobSeeker. The system crashed. People lined up outside physical Centrelink offices for six hours while being told to "go online." Prime Minister Scott Morrison said "please don't go to Centrelink" — while offering no working alternative.[3]
The ATO goes further. Once you use your Digital ID (myID) to access ATO services, you can never go back:
"Once you've accessed ATO online services using your myID, you must always access ATO online services using your myID, because it's the most secure access method."[4]
The facial verification needed for a "Strong" myID — the only level that works with Centrelink — is described as "optional."[5] But if you're a Disability Support Pension recipient who needs Centrelink access, the face scan is the only way in.[6]
A relying party "must not, as a condition of providing a service or access to a service, require an individual to create or use a digital ID." Services cannot be provided on "substantially less favourable terms" to people who don't use Digital ID. Government departments cannot be exempted.[7]
The myGov privacy page says:
"We use cookies collected on myGov and the app to gather website usage data and to optimise the experience of all users."[8]
That's the entire disclosure. No platform names. No mention of American companies. No mention of session recording.
We looked at the page source code. Here's what's actually embedded:[9]
| Tracker | Company | What it does |
|---|---|---|
| Adobe Launch / Analytics | Adobe Inc. San Jose, California | Web analytics, event tracking, user behaviour data |
| Adobe Data Layer | Adobe Inc. San Jose, California | Structured collection of page and user interaction data |
| Google Fonts | Google LLC Mountain View, California | Loads fonts; sends visitor IP address and browsing metadata to Google |
The entire my.gov.au site runs on Adobe Experience Manager (AEM) — a commercial content management system built by a US corporation.[9]
| Tracker | Company | What it does |
|---|---|---|
| Google Tag Manager | Google LLC Mountain View, California | Tag management and analytics orchestration Container ID: GTM-P4CCPCZ |
| New Relic | New Relic Inc. San Francisco, California | Application performance monitoring, browser error tracking, AJAX tracking App ID: 688337168 |
| Microsoft ClaritySession recording | Microsoft Corp. Redmond, Washington | Captures every mouse movement, click, scroll, and page content visible on screen |
| Facebook domain verification | Meta Platforms Inc. Menlo Park, California | Confirms Services Australia verified domain with Meta — prerequisite for Facebook Pixel Verification: a3dzyad0kj4oxe3xcjl2tl5awdefcm |
Microsoft Clarity is a session recording tool deployed on servicesaustralia.gov.au — the site where Australians access their Centrelink payment information, Medicare claims, and disability support details. It captures every mouse movement, every click, every scroll, page content visible on screen, and form interactions. Session recordings are stored on Microsoft's servers in the United States.[9]
The meta tag confirms Services Australia — the agency that pays Centrelink and Medicare — has an active verified domain relationship with Meta/Facebook. This is typically a prerequisite for running Facebook Pixel for advertising conversion tracking.[9]
Breach APP 1.4(f) and (g) — A privacy policy "must contain" whether the entity is likely to disclose personal information to overseas recipients and, if so, the countries in which those recipients are located. The myGov privacy page identifies none of these recipients and none of these countries.[10]
Breach APP 5.2(d) and (f) — At or before the time of collection, the entity must notify the individual of the purposes and the third parties to which information is usually disclosed. No notification identifies Adobe, Google, Microsoft, New Relic, or Meta.[10]
Probable APP 8.1 — Before disclosing personal information to an overseas recipient, the entity must take reasonable steps to ensure the overseas recipient doesn't breach the APPs. Under Section 16C of the Privacy Act, the disclosing entity is strictly liable.[10]
Probable APP 6.1 — Personal information can only be used for the primary purpose of collection or a directly related secondary purpose. Disclosing browsing data to Meta is not "reasonably expected" when checking Centrelink payments.[10]
Probable Digital ID Act 2024, s 53 — Accredited entities are prohibited from using personal information for data profiling to track online behaviour. The tracking infrastructure constitutes exactly that.[7]
s 13G Maximum penalty per serious interference with privacy: $50,000,000 — or three times the benefit obtained, or 30% of adjusted turnover, whichever is greatest.[12]
The myGov terms of use say:
"If you choose to use your device's biometrics, myGov will not collect, store or otherwise handle your biometric information."[2]
This is technically true for your phone's fingerprint or Face ID. But when you set up myID (the Digital ID required for Centrelink), the system takes a series of photos of your face — a "liveness stream" — and analyses your facial geometry:
"[myID] reads the geometry of your face. Key factors include the distance between your eyes, the distance from forehead to chin, and many more biometric factors."[5]
The liveness detection is performed by iProov Limited — a company headquartered in London, UK — under a $10.7 million, three-year contract.[13]
Biometric data is stored on Australian-based AWS. But when automated verification fails, UK-based iProov employees can remotely view your biometric images.[14]
The myID privacy policy says:
"We do not disclose your personal information to overseas recipients."[5]
The Office of the Australian Information Commissioner identified that UK-based iProov staff viewing Australian biometric data constitutes overseas disclosure — regardless of where the servers are.[14]
Breach APP 1.4(f)(g) — This is not a failure to disclose. It is an affirmatively false statement in the privacy policy.[10]
Breach APP 8.1 — Cross-border disclosure of "sensitive information" (biometrics, s 6(1)) triggers strict liability under s 16C.[10]
iProov may retain suspicious or inconclusive images for up to 14 days for "performance validation and testing purposes."[14]
"We may lock, suspend or terminate your myGov account or myGov access at any time and for any reason."[2]
No due process. No appeal mechanism. No requirement to notify you first. No obligation to explain why.
Account termination cuts access to: welfare payments, tax returns, Medicare, NDIS disability support, cancer screening results, child support, veteran affairs, and the National Redress Scheme for institutional child sexual abuse survivors.[1]
Part 4, Sections 126–145, requires that every decision affecting payment entitlements must be subject to internal review (s 126), notification of review rights (s 138), and external review by the Administrative Review Tribunal (s 142).[15] MyGov's "any time, any reason" termination operates outside this statutory framework entirely.
Administrative law principles established in Kioa v West (1985) hold that when an order will deprive a person of a right, they are entitled to know the case against them and to reply to it.[16]
You are liable for: "Everything that is done with and on your myGov account" — even if someone else accessed it. Keeping all linked services updated separately. Reading all notifications "in a timely manner."[2]
They are NOT liable for: "Any Loss suffered as a result (whether directly or indirectly) of your use, or your inability to use, myGov." Loss of data, profits, opportunity. Security of your data. Undelivered notifications. "Security threats or vulnerabilities" on their own platform.[2]
Citizens accessing essential government services have fewer consumer protections than customers of a private gym.
If a private gym imposed these terms, the ACCC could take them to court under Sections 23–28 of the Australian Consumer Law.[17] But the ACL requires conduct "in trade or commerce." Government service delivery is almost certainly a governmental function (Murphy v State of Victoria [2014] VSC 404).[18]
"This includes acceptance of any changes to these terms of use in circumstances where it's reasonable to assume that you are aware of the changes."[2]
Who decides what's "reasonable to assume"? Services Australia does. Your only remedy: stop using myGov — and lose access to all government services online.
"We have strong security processes and protections in place across our digital platforms."[8]
Here's the record:
A real-world attack, documented by IDCARE: A Medicare record was breached via phone. The fraudster changed the address, requested a new Medicare card mailed to their address, used that card to access the ATO via myGov, submitted fraudulent tax returns in the victim's name, and changed bank details to intercept the refund.[20]
Under myGov's terms, the victim is responsible for "everything done with and on your myGov account."[2]
Between 2016 and 2019, the Australian Government used an automated income-averaging algorithm through Centrelink — accessed via myGov — to issue 470,000+ debt notices. Many were wrong.[19]
People received threatening letters demanding repayment of debts they didn't owe. At least three people died by suicide linked to the stress of receiving unlawful Robodebt notices.[19]
The Royal Commission into the Robodebt Scheme (2023) found:
The myGov/Centrelink portal was the delivery mechanism for these unlawful debt notices. The Royal Commission recommended reforms to automated decision-making.[19] But the myGov terms of use — including "any time, any reason" termination, no appeal mechanism, and deemed notification — replicate the structural conditions that enabled Robodebt.
"No Australian will be forced to use government identification (including Digital ID)."[7]
Lyndon Ormond-Parker, co-chair of the First Nations Digital Inclusion Advisory Group: "There is a risk that traditional or alternative means will slowly get phased out under the assumption that everyone will use online service delivery."[25]
Strong case Racial Discrimination Act 1975, s 9 — It is unlawful to do any act that has the effect of impairing equal access to human rights based on race. Intent is not required. Precedent: Mabo v Queensland (No 1) (1988).[26]
The digital-only push imposes conditions — digital literacy, device ownership, reliable internet — that disproportionately disadvantage older Australians.
Strong case Age Discrimination Act 2004, s 28 explicitly covers government services. Less discriminatory options exist (maintaining phone and in-person services).[27]
People with cognitive, vision, and motor disabilities face barriers with myGov's interface, CAPTCHA, and smartphone-based facial verification.[28]
Strong case Disability Discrimination Act 1992, s 24 explicitly covers government services. The SOCOG precedent (Maguire v SOCOG, 2000) established that inaccessible digital services breach Section 24.[28]
The NSW Council for Civil Liberties noted that Australia is "the only liberal democracy lacking" a Bill of Rights.[30]
"You can delete or uninstall the myID app from your device, however this won't delete your myID account."[4]
To actually close your account, you must call a phone support line.[4] Even then:
"Some personal information may be retained in accordance with the Digital ID Act 2024 and the Archives Act 1983."[4]
The Archives Act 1983 classifies personal information held by Commonwealth agencies as "Commonwealth records." It is an offence to destroy them without authorisation.[31] Your name, date of birth, identity document details, verification history — belongs to the Commonwealth. The "delete" button deletes nothing.
The Document Verification Service (DVS) checks identity documents against issuing authority records. In 2023–24:[32]
Digital Rights Watch: the government conducted "hundreds of millions of identity checks without a legislative framework" — calling it "likely unlawful."[34]
By December 2026, Phase 3 opens applications for private sector relying parties — banks, telcos, and more.[7]
| Feature | myGov (Australia) | GOV.UK (UK) | e-Estonia | Singpass (Singapore) |
|---|---|---|---|---|
| Termination | "Any time, any reason" | Specific grounds | Cannot terminate | Specific grounds |
| Liability | None accepted | Some acknowledged | Full audit trail | Shared |
| Citizens see who accessed data? | No | Limited | Yes + criminal penalties | Yes |
| Tracker disclosure | "We use cookies" | Names every tracker | Transparent | Detailed |
| Consent to changes | "Reasonable to assume" | Must actively accept | Legislative process | Formal notification |
| Architecture | Centralised | Centralised | Decentralised | Decentralised |
| Open source | No | Partially | Yes (X-Road) | Partially |
Estonia's e-government lets citizens see every government employee who accessed their records. Officials face criminal penalties for unauthorised access.[35]
Researchers at Deakin University found Australia's Digital ID system "falls short of global privacy standards."[36]
The OAIC has the legal power to seek civil penalties of up to $50 million against government agencies for serious privacy interferences. But it has never done so.[37]
Every civil penalty proceeding has been against private sector entities — Facebook, Australian Clinical Labs, Optus.[37]
Australians' personal information held by government has weaker practical protection than information held by private companies — despite the same legal framework nominally applying to both.
The strongest pathways are the three discrimination Acts (DDA, RDA, ADA) — they explicitly cover government services, have no "trade or commerce" limitation, and have established precedent.[28]
| Law | Section | Requires | What myGov does | Assessment |
|---|---|---|---|---|
| Privacy Act 1988 | APP 1.4(f)(g) | List overseas recipients + countries | Lists none. Says "we don't disclose overseas" while UK company views biometrics. | Breach |
| Privacy Act 1988 | APP 5.2 | Notify at time of collection | 7 trackers collect silently. No notification. | Breach |
| Privacy Act 1988 | APP 8.1 + s 16C | Ensure overseas recipients comply. Strict liability. | Data flows to 5 US corporations. | Probable |
| Privacy Act 1988 | APP 6.1 | Primary purpose or reasonably expected | Disclosing to Meta not "reasonably expected" for welfare. | Probable |
| Privacy Act 1988 | APP 11.1 | "Reasonable steps" to protect | 174 breaches/yr. "Unprepared." Refused to patch known vuln. | Probable |
| Privacy Act 1988 | s 13G | Penalty: serious interference | Up to $50,000,000. Multiple findings qualify. | Never enforced vs govt |
| APP Code 2017 | s 12(1) | PIAs for high-risk projects | No published PIAs for trackers, session recording, biometrics. | Probable |
| Digital ID Act 2024 | s 53 | Prohibits data profiling | Tracking infrastructure profiles online behaviour. | Probable |
| Digital ID Act 2024 | s 74 | Cannot require Digital ID | ATO locks in permanently. Centrelink requires Strong myID. | Under pressure |
| DDA 1992 | s 6, s 24 | Cannot discriminate in services; covers govt | Face scan as Centrelink gateway. Digital-only push. | Strong case |
| RDA 1975 | s 9 | Acts with discriminatory effect unlawful | 200,000+ Indigenous Australians lack birth certificates. | Strong case |
| ADA 2004 | s 15, s 28 | Cannot impose unreasonable age-disadvantaging conditions | Digital-only. Alternatives being reduced. | Strong case |
| SS(Admin) Act 1999 | ss 126-145 | Decisions affecting payment must be reviewable | "Any time, any reason" termination outside review framework. | Probable |
| Admin law | Kioa v West | Natural justice: hearing, reasons, non-arbitrary | "Any time, any reason." No hearing. No reasons. No appeal. | Arguable |
data-cmp-data-layer-name="adobeDataLayer". Adobe Launch via launch-3792184e5e46.min.js. GTM container GTM-P4CCPCZ. New Relic app 688337168. Clarity via /api/v1/clarity. Facebook verification via meta tag. AEM via CSS classes.