reasonableperson
commented
3 years ago The passage of the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth), in August 2019, gave me the impression that I would finally be able to self-host a Mint/Pocketbook-style personal finance app without maintaining brittle web scrapers for every Australian financial institution I deal with, or trusting a third party to do this on my behalf.
The stated objects of the legislation included “to enable consumers … to require information relating to themselves in those sectors to be disclosed safely, efficiently and conveniently … to themselves for use as they see fit.” The resulting Consumer Data Standards also profess that “The CDR is Consumer-centric,” “A diverse range of people are able to access, use, and comprehend the CDR ecosystem,” and “Consumers should be encouraged to be privacy conscious without experiencing cognitive loads that lead to disengagement [and] should also be empowered by the CDR without interactive burdens being placed on them.”
However, if you try to actually build something with these APIs you’ll quickly discover that they are exposed only to “Data Recipients” who “MUST be accredited” according to rules which “are beyond the scope of this artifact.” When I researched whether the stated purpose of the legislation might be achieved in the future, I found this GitHub issue, which seems to indicate that the authors and implementers of the standards (unlike the few consumers who took the time to engage) are happy to limit API access to third parties accredited by the ACCC, rather than directly empowering consumers. This approach to consultation caused me to experience cognitive loads that led to disengagement. But your new project, and efforts to engage with the DTA over COVIDSafe, have restored a little hope.
vteague
I think Australia’s most imminent technical catastrophe is Digital ID – same security and privacy QA as COVIDSafe, but soon to have millions of people’s passports, driver’s licenses and biometrics. Somebody needs to fix that. If you like finding and explaining bugs, please take a look at the TDIF or the ATO’s myGovID or Australia Post’s Digital ID. You might get some problems fixed, but don’t get frustrated if you don’t – it is still a valuable service to find them and explain them to users. (Of course, you should always observe reasonable responsible disclosure, but you are not obliged to keep bugs secret after a reasonable time has elapsed, nor after you have been told they will not be fixed.) You could start with Ben Frengley’s thesis.
What are you examining? What do you think are the most important pieces of software that have had the least scrutiny?