TDIF Accreditation documents
Dear Digital Transformation Agency,
I request under the Freedom of Information Act the following documents (as set out in the Trusted Digital Identity Framework Accreditation Process documentation), for the identity services provided by the Australian Tax Office and Australia Post, as well as for any existing accredited Identity Exchanges:
- TDIF Application Letters
- Statements of Applicability
- Completed Accreditation Plans
- Assessor Findings reports
- Reports covering technical integration testing and service operations readiness
- TDIF Memorandum of Understanding
- Assessment Plans, Assessment Reports, and Qualifying Attestation Letters provided as part of annual assessments
- Exemption requests and related evidence
- Formal responses to or acknowledgement of any of the above documents
- Compliance and remediation advisories
- Requests for access to Restricted Attributes and related evidence
Please note that this request is a replacement for FOI 185/2020.
Yours faithfully,
Ben Frengley
OFFICIAL
Hi Ben,
Freedom of Information Request – FOI 188/2020
Thank you for your email to the Digital Transformation Agency (DTA) for access to documents under the Freedom of Information Act 1982 (FOI Act).
List of documents requested:
I request under the Freedom of Information Act the following documents (as set out in the Trusted Digital Identity Framework Accreditation Process documentation), for the identity services provided by the Australian Tax Office and Australia Post, as well as for any existing accredited Identity Exchanges:
- TDIF Application Letters
- Statements of Applicability
- Completed Accreditation Plans
- Assessor Findings reports
- Reports covering technical integration testing and service operations readiness
- TDIF Memorandum of Understanding
- Assessment Plans, Assessment Reports, and Qualifying Attestation Letters provided as part of annual assessments
- Exemption requests and related evidence
- Formal responses to or acknowledgement of any of the above documents
- Compliance and remediation advisories
- Requests for access to Restricted Attributes and related evidence
The statutory period for processing your request commences from the day after DTA received your request. Your request was received by DTA on 12 May 2020. The processing period may be extended if we need to consult third parties, impose a charge or for other reasons. We will advise you if this happens.
Liability to pay a charge
You will be notified of any charges in relation to your request as soon as possible, before we process any requested documents or impose a final charge.
Publication
As required by the FOI Act, information released under the FOI Act may later be published online unless an exemption applies. For example, personal information will not be published where this would be unreasonable. Any documents provided to you under the FOI Act will be published on our disclosure log (www.dta.gov.au) as soon as practicable after they are released to you, usually 1 – 2 working days.
Policy to exclude junior departmental officer contact details
The DTA will include the names and contact details of SES officers in any document released under FOI. However, the DTA has adopted a policy to generally exclude the names and contact details of junior staff (non-SES officers) from any FOI documents. DTA’s preference is to reach agreement with FOI applicants to exclude these details from the scope of the request. Where there is no objection, the names and contact details of junior officers are redacted under section 22 of the FOI Act, on the basis that these details are irrelevant to the request.
Please contact the FOI Team on the below contact details if you wish to discuss your request.
Reference:
Contact:
e-mail: FOI 188/2020
FOI Team
[email address]
Regards,
Morgan
--
Freedom of Information
Digital Transformation Agency (DTA)
Australian Government
www.dta.gov.au
Email: [email address]
+61 2 6120 8541
OFFICIAL
OFFICIAL
Hi Ben,
A letter about your request.
Morgan
--
Freedom of Information
Digital Transformation Agency (DTA)
Australian Government
[1]www.dta.gov.au
Email: [email address]
+61 2 6120 8541
[2]DTA Logo with Commonwealth Coat of Arms.
OFFICIAL
References
Visible links
1. http://www.dta.gov.au/
Dear FOI,
I would like to revise my request as follows.
I request the following documents (as set out in the Trusted Digital Identity Framework Accreditation Process documentation) for the accredited identity services (identity providers and/or identity exchanges) provided by the Australian Tax Office:
- Assessor Findings reports
- Reports covering technical integration testing
- Assessment Reports provided as part of annual assessments
- Exemption requests and related evidence
Yours sincerely,
Ben Frengley
OFFICIAL
Hi Ben,
A decision letter is attached.
Regards,
Morgan
--
Freedom of Information
Digital Transformation Agency (DTA)
Australian Government
[1]www.dta.gov.au
Email: [email address]
+61 2 6120 8541
[2]DTA Logo with Commonwealth Coat of Arms.
OFFICIAL
References
Visible links
1. http://www.dta.gov.au/
Ben Frengley left an annotation ()
I have submitted a request for an OAIC review of this decision, with the following reasoning:
The DTA has decided that the documents are exempt under section 47E(d) of the FoI Act, specifically that their release would "have a substantial adverse effect on the proper and efficient conduct of the operations of an agency." I believe this is wrong: "proper" and "efficient" are two very different criteria. In the case of the security and privacy properties of cryptographic protocols, quick accreditation of non-compliant systems by people who do not fully understand the consequences could result in improper (i.e. incorrect) certification of systems that did not in fact meet the intended security requirements of the TDIF. Open examination of both the systems and the accreditation process, by informed members of the public, could substantially improve both the security of the systems and the proper functioning of the certification process.
I have sought access to the documents requested to shed light on concerns that a focus on speedy approvals in the name of efficiency may have resulted in the accreditation of identity services that may not deserve accreditation because they may fail to fully meet privacy and security requirements in the specifications for accreditation.
The decision to deny access should be overturned because based on the reasons provided it does not:
· sufficiently identify and weigh in the balance the full range of public interest factors that favour access;
· sufficiently explain the basis for or the evidence supporting the assertions that disclosure of all of the documents sought could reasonably be expected to prejudice:
· DTA’s ability to obtain confidential information;
· DTA’s ability to obtain similar information in the future; or
· the effectiveness of DTA’s expected regulatory activities.
The supporting statement that: "The system would be undermined if it was generally known the details of the framework, which would in turn affect public confidence in the Digital Identity system" is nonsensical, because the details of the framework are already described in considerable detail on the DTA's website. The DTA argues further that "The release of this material at this time would erode trust the community and agencies have in the DTA that would have a substantial adverse effect on the continuing work DTA are undertaking on the framework." On the contrary, I believe technical input from the public could have a substantial positive effect on the DTA's regulatory process and technology. If the DTA is suggesting that public confidence would be undermined by general public knowledge of the accreditation process or implementation details of accredited identity services, then this suggests that there may be weaknesses in the services or the accreditation system.
The DTA's assessment of factors favouring disclosure is incomplete. Public interest matters favouring disclosure of the requested TDIF information include that it:
· reveals the reasons for government decisions to provide accreditation and any background or contextual information that informed the decision; and
· informs debate on a matter of public importance, including allowing or assisting inquiry into possible deficiencies in the conduct or administration of an agency or official; and
· informs members of the public about the security and privacy properties of the accredited system, thus facilitating informed individual choice about whether to use it; and
· improves the quality of the technical solution by allowing independent analysis and examination of its security and privacy properties.
The DTA's suggestion that disclosure risks "possibly revealing vulnerabilities and operations" indicates that they do not understand the nature of secure systems - revealing the details so that Australian researchers could identify and correct problems would make the system more secure; keeping its details secret will not cause its vulnerabilities to go away.
I have recently actively participated in examination and public discussion of the technical protections of the DTA's COVIDSafe app, and have helped to identify and correct weaknesses. This has both informed public debate and directly contributed to improving the app. I believe a similar open analysis and discussion of TDIF accreditation would also be in the public interest. The case for this is even strengthened by the TDIF's focus on transparency and informed user choice.
I note that the DTA has rearranged and renamed some of their documents since my original FoI application was made due to the release of new version of the TDIF. However, the accreditation in question would have been completed under the previous version and I would argue that this should make no difference to my right of access to the documents requested as it these have already been identified in the context of the decision to refuse me access to them.