Proprietary MyGovID app to be the only way to login to ATO Business Portal
Hi Folks, I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. This is attached in case there are any business owners who I can encourage to also speak out. Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all. I've sent this to the ATO by post and via their complaints form: https://www.ato.gov.au/About-ATO/Contact-us/Complaints,-compliments-and-sugg... I've also contacted our Federal MP about the issue. Stay safe! Ben
This may be the only "official" way to sign in, but it's not the only option. MyGovID just does TOTP with SHA512, so assuming you have a TOTP app that doesn't just do SHA1 (I use FreeOTP+, but there are plenty of other options), you can use the tool that this clever human wrote, that basically pretends to be the MyGovID app for the purposes of set-up, and gives you a regular QR-code to feed to your TOTP app: https://github.com/abrasive/mygov-totp-enroll On Tue, Mar 24, 2020, at 17:44, Ben Sturmfels wrote:
Hi Folks,
I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. This is attached in case there are any business owners who I can encourage to also speak out.
Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all.
I've sent this to the ATO by post and via their complaints form:
https://www.ato.gov.au/About-ATO/Contact-us/Complaints,-compliments-and-sugg...
I've also contacted our Federal MP about the issue.
Stay safe!
Ben
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au https://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
*Attachments:* * ato-mygovid.pdf
-- Regards, Matt Cengia (he/him/his)
Thanks Matt, that's encouraging, I'll have to try that out! I still think that it's worth some activism here though - non-technologists shouldn't be second class citizens and we shouldn't have to work around the systems that we pay for. On 24/3/20 5:49 pm, Matt Cengia wrote:
This may be the only "official" way to sign in, but it's not the only option. MyGovID just does TOTP with SHA512, so assuming you have a TOTP app that doesn't just do SHA1 (I use FreeOTP+, but there are plenty of other options), you can use the tool that this clever human wrote, that basically pretends to be the MyGovID app for the purposes of set-up, and gives you a regular QR-code to feed to your TOTP app: https://github.com/abrasive/mygov-totp-enroll
On Tue, Mar 24, 2020, at 17:44, Ben Sturmfels wrote:
Hi Folks,
I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. This is attached in case there are any business owners who I can encourage to also speak out.
Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all.
I've sent this to the ATO by post and via their complaints form:
https://www.ato.gov.au/About-ATO/Contact-us/Complaints,-compliments-and-sugg...
I've also contacted our Federal MP about the issue.
Stay safe!
Ben
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au https://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
*Attachments:*
* ato-mygovid.pdf
-- Regards, Matt Cengia (he/him/his)
Oh yeah, I totally agree; we shouldn't need a third-party tool to do something that should already be offered by the MyGov website. I understand that maybe they didn't trust TOTP apps to support SHA512 hashes (I know that when I tried with LastPass Authenticator, it just *ignored* the SHA512 bit and tried to use the key with a SHA1 hash, resulting in the wrong code with no explanation or error), but there are better options than *forcing* people to use an app like this. On Tue, Mar 24, 2020, at 17:58, Ben Sturmfels wrote:
Thanks Matt, that's encouraging, I'll have to try that out!
I still think that it's worth some activism here though - non-technologists shouldn't be second class citizens and we shouldn't have to work around the systems that we pay for.
On 24/3/20 5:49 pm, Matt Cengia wrote:
This may be the only "official" way to sign in, but it's not the only option. MyGovID just does TOTP with SHA512, so assuming you have a TOTP app that doesn't just do SHA1 (I use FreeOTP+, but there are plenty of other options), you can use the tool that this clever human wrote, that basically pretends to be the MyGovID app for the purposes of set-up, and gives you a regular QR-code to feed to your TOTP app: https://github.com/abrasive/mygov-totp-enroll
On Tue, Mar 24, 2020, at 17:44, Ben Sturmfels wrote:
Hi Folks,
I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. This is attached in case there are any business owners who I can encourage to also speak out.
Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all.
I've sent this to the ATO by post and via their complaints form:
https://www.ato.gov.au/About-ATO/Contact-us/Complaints,-compliments-and-sugg...
I've also contacted our Federal MP about the issue.
Stay safe!
Ben
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au https://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
*Attachments:*
* ato-mygovid.pdf
-- Regards, Matt Cengia (he/him/his)
-- Regards, Matt Cengia (he/him/his)
Apps release by the government should not be proprietary; they should be free software. They make the software with our taxpayer dollars, so we have a right to it. https://publiccode.eu/ Would Free Software Melb be interested in campaigning against MyGovID? - People should not be forced to own a recent smartphone. - People should not be forced to install apps (especially proprietary apps) on their phone. - Software developed by the government using our taxpayer dollars should be free software, not proprietary. Koji Mar 24, 2020, 07:00 by mattcen+softwarefreedom@mattcen.com:
Oh yeah, I totally agree; we shouldn't need a third-party tool to do something that should already be offered by the MyGov website. I understand that maybe they didn't trust TOTP apps to support SHA512 hashes (I know that when I tried with LastPass Authenticator, it just *ignored* the SHA512 bit and tried to use the key with a SHA1 hash, resulting in the wrong code with no explanation or error), but there are better options than *forcing* people to use an app like this.
On Tue, Mar 24, 2020, at 17:58, Ben Sturmfels wrote:
Thanks Matt, that's encouraging, I'll have to try that out!
I still think that it's worth some activism here though - non-technologists shouldn't be second class citizens and we shouldn't have to work around the systems that we pay for.
On 24/3/20 5:49 pm, Matt Cengia wrote:
This may be the only "official" way to sign in, but it's not the only option. MyGovID just does TOTP with SHA512, so assuming you have a TOTP app that doesn't just do SHA1 (I use FreeOTP+, but there are plenty of other options), you can use the tool that this clever human wrote, that basically pretends to be the MyGovID app for the purposes of set-up, and gives you a regular QR-code to feed to your TOTP app: https://github.com/abrasive/mygov-totp-enroll
On Tue, Mar 24, 2020, at 17:44, Ben Sturmfels wrote:
Hi Folks,
I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. This is attached in case there are any business owners who I can encourage to also speak out.
Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all.
I've sent this to the ATO by post and via their complaints form:
https://www.ato.gov.au/About-ATO/Contact-us/Complaints,-compliments-and-sugg...
I've also contacted our Federal MP about the issue.
Stay safe!
Ben
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au https://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
*Attachments:*
* ato-mygovid.pdf
-- Regards, Matt Cengia (he/him/his)
-- Regards, Matt Cengia (he/him/his) _______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au https://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
[Apologies for the cross-post if you're also on the linux-aus mailing list.] Just a quick update - I had a lovely call from a person at ATO responding to my complaint. A couple of things they mentioned: - ATO is the first agency to use MyGovID - they have a feedback form on https://www.mygovid.gov.au <- USE IT - they have received quite a bit of feedback similar to mine - there was some form of hard deadline in place around their previous authentication set up around 10 years ago - sounded like a contract expiry but I didn't get specifics - may have been just related to AusKey - they really didn't know how the transition was going to go - now they have learned, surprise surprise, for example a bunch of tax accountants who don't have smartphones - much respect to those accountants! - currently the Digital Identity team is only speaking with people who are having technical difficulties with the app, not people who want to participate in the upstream process All in all, they were very empathetic about the ethical issues of requiring Apple or Google accounts and trust in proprietary tech. If you can spare a few minutes, this is an important time to be heard and they are certainly listening. Regards, Ben On 24/3/20 5:44 pm, Ben Sturmfels wrote:
Hi Folks,
I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. This is attached in case there are any business owners who I can encourage to also speak out.
Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all.
I've sent this to the ATO by post and via their complaints form:
https://www.ato.gov.au/About-ATO/Contact-us/Complaints,-compliments-and-sugg...
I've also contacted our Federal MP about the issue.
Stay safe!
Ben
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au https://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
I received a reply from the ATO. I've summarised my original email and its response, and included the full text of the response below. Koji Summary ======= My original email ----------------- Concerns: - myGovID should not require a recent smartphone. - myGovID should not require an Apple or Google account. - myGovID must be free software, not remain proprietary. Recommendations: - make myGovID binaries available for desktop operating systems. - make myGovID binaries available as a direct download and F-Droid. - publish checksums or cryptographic signatures of myGovID binaries. - release myGovID as free software. publish source code and documentation. - make the build of myGovID reproducible: https://reproducible-builds.org/ ATO's response -------------- Response: - the old AUSkey system was hardcoded to expire on 2020-03-27. - each AUSkey was assigned to a business, not an individual. - each myGovID is unique to an individual. - AUSkey credentials were forgotten or misused (eg: shared to others). - a recent smartphone is required for crypto and biometric capabilities. - the smartphone is required only for login; PCs can be used thereafter. - people who buy a smartphone just for myGovID may claim a tax deduction. - "The Australian Government is serious about safety and privacy online." - "myGovID is accredited under the Australian Trusted Digital Identity Framework ..." - ("source code" mentioned but no further comment) - people unable to use myGovID have options including paper lodgement. Full text ========= Thank you for letting us know about your concerns in regards to the transition from AUSkey to myGovID and Relationship Authorisation Manager. Providing us with your concerns gives us an opportunity to improve our services to you and the community. We would like to provide some information to provide clarity about the AUSkey transition and myGovID. The AUSkey system was built over 10 years ago and each AUSkey today has a hard coded expiry date which cannot be extended beyond the 27th March 2020. The system has not kept pace with modern advances in technology or expectations of the community, and there are a number of issues, including: - not compatible with most modern internet browsers, - needing a separate AUSkey for every business a person acts on behalf of, - it is locked down to a PC, not available on mobile devices, and - is difficult to install and recover when a password is forgotten. In addition to user irritants there are significant issues with the AUSkey system, including misuse such as sharing credentials and passwords which compromises the integrity of the ATO’s online environment. As a result, the ATO are moving away from desktop and/or browser authentication and all users will need their own compatible smart device to use myGovID. Accessing myGovID via a smart device allows use of the identification and security features provided by the smart device - like fingerprint and face verification. The myGovID app allows a user to logon to, and transact from any device and commonly supported browser. myGovID is only required for the logon step and a user can continue to use their PC or laptop when accessing online services. A compatible smart device is required to use myGovID (an iOS or Android based mobile phone or tablet) and we recognise that some users may need to upgrade their device. The cost of purchasing a new device starts at less than $100. Please note if an individual is required to obtain a new smart device and use it for work purposes, they may be able to claim a deduction if they: - Pay for these costs themselves, are not reimbursed and - Have records to support their claims. The amount and type of deduction they can make will depend on what they use their smart device for. If they have bought a smart device and they use it for work, they can claim a deduction for a percentage of its cost. If they use their smartphone for private use and work related activities, they will need to determine the percentage of use related to their business to calculate any claim for allowable deductions. They can locate further information about ‘Claiming mobile phone, internet and home phone expenses’ on the ATO website by entering QC 46119 into the search bar at www.ato.gov.au http://www.ato.gov.au The Australian Government is serious about safety and privacy online. As part of the ongoing commitment to security in a constantly evolving digital economy, AUSkey and Manage ABN Connections (MAC) will officially be decommissioned end of March 2020. myGovID is a digital identity credential that is unique to an individual. Individuals will access their myGovID via their smart device when logging into online government services for both personal and business/work purposes. The app is designed to run on modern and secure operating systems, we use secure cryptographic credentials to authenticate our users and these credentials are further protected by their device biometric or password. myGovID is accredited under the Australian Trusted Digital Identity Framework which strictly controls how identity data is collected, stored and used. When using government online services, personal information won’t be shared without permission. Thank you for your feedback regarding our source code. We’re continually looking to improve the myGovID app with feedback like yours. For users who are unable to transition to myGovID and RAM, options to fulfil tax obligations include: - lodgment through third party cloud-based business software, - the use of a tax or BAS agent, - phone lodgment (not available for all lodgment types), and - paper lodgment (not available for all lodgment types). (omitted statements about COVID-19 and ending greeting)
[Again, apologies for the cross-post if you're also on the linux-aus mailing list.] Another update. A representative of ATO called to suggest that as a sole-trader (not a company), I can manage activity statements and superannuation through the ATO linked service on https://my.gov.au. I tried this and after doing the necessary linking security questions, I get essentially the exact same functionality I had via the ATO Business Portal. This isn't an option for companies though, who are forced to use MyGovID so that multiple authorised people can access these features on the ATO Business Portal. The representative told me that there's no plans to move my.gov.au to MyGovID login for the foreseeable future. So that solves my issues for now, but I expect it's only a matter of time before MyGovID gets more widely rolled out. Regards, Ben On 31/3/20 11:44 am, Ben Sturmfels wrote:
[Apologies for the cross-post if you're also on the linux-aus mailing list.]
Just a quick update - I had a lovely call from a person at ATO responding to my complaint. A couple of things they mentioned:
- ATO is the first agency to use MyGovID
- they have a feedback form on https://www.mygovid.gov.au <- USE IT
- they have received quite a bit of feedback similar to mine
- there was some form of hard deadline in place around their previous authentication set up around 10 years ago - sounded like a contract expiry but I didn't get specifics - may have been just related to AusKey
- they really didn't know how the transition was going to go - now they have learned, surprise surprise, for example a bunch of tax accountants who don't have smartphones - much respect to those accountants!
- currently the Digital Identity team is only speaking with people who are having technical difficulties with the app, not people who want to participate in the upstream process
All in all, they were very empathetic about the ethical issues of requiring Apple or Google accounts and trust in proprietary tech. If you can spare a few minutes, this is an important time to be heard and they are certainly listening.
Regards, Ben
On 24/3/20 5:44 pm, Ben Sturmfels wrote:
Hi Folks,
I've just sent a letter to the Commissioner of Taxation about the rollout of MyGovID as the only way to log in to the ATO Business Portal. This is attached in case there are any business owners who I can encourage to also speak out.
Essentially the ATO is switching off the nice email/password/SMS-code MyGov login method I use to access the Business Portal to manage tax/GST/PAYG/super. The are replacing this with login via a proprietary mobile app called, confusingly, MyGovID. I'm late to the party, with the changeover due in only a few days time, but better late than not heard at all.
I've sent this to the ATO by post and via their complaints form:
https://www.ato.gov.au/About-ATO/Contact-us/Complaints,-compliments-and-sugg...
I've also contacted our Federal MP about the issue.
Stay safe!
Ben
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au https://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au https://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
participants (3)
-
abstractmonkey@tutanota.com -
Ben Sturmfels -
Matt Cengia