On April 27, 2026, the Australian Taxation Office published a Request for Information to overhaul the biometric layer of the national myID digital identity, the credential that anchors the Australian Government Digital ID System (AGDIS). The tender, which closed May 28, would replace the liveness-detection capability the ATO sourced from iProov under a A$10.7 million three-year contract signed in 2021, and add two new identity-proofing tiers — IP1+ and IP2+, the latter pairing the Face Verification Service with liveness checks. The ATO wants a system that can absorb peak loads of 10,000 verifications an hour with 95th-percentile responses under one second, and that can assess non-Australian documents so citizens abroad are covered (Biometric Update).
For privacy advocates, any expansion of facial verification across roughly 14 million people is a moment to ask hard questions, and the topic of biometric surveillance in public life has rarely been more contested. The strongest version of the concern is serious and worth stating plainly: a national facial-verification rail, once built, becomes a standing piece of infrastructure that a future government could repurpose. Function creep is the rule, not the exception, in identity systems; a database assembled for tax logins can be leaned on by law enforcement, linked across agencies, or quietly made the only practical way to access services. The Electronic Frontier Foundation's reporting on US automated licence-plate readers — built for narrow purposes, now sprawling networks states are trying to hide from public-records requests — is a fair warning about how fast "limited" surveillance tools metastasise (EFF).
What the ATO is actually building
That warning is the right lens — but applied to this tender, it argues for getting the architecture right, not for refusing to upgrade. The case for the refresh is technical and concrete. The 2021 liveness layer predates the current generation of AI-generated deepfakes and presentation attacks aimed at mobile cameras. The RFI demands presentation-attack detection meeting at least Evaluation Assurance Level 2 (Level B) under ISO/IEC 30107-3:2023, a face-matching algorithm with a false-match rate of 0.01% or lower at a 3% false-non-match rate, and third-party attestation from an ISO-accredited testing laboratory (Biometric Update). These are not the specifications of a dragnet. They are the specifications of an authentication system trying to keep impersonators — increasingly synthetic ones — out of other people's tax and benefits accounts.
The distinction between authentication and surveillance is the whole argument. A public-space facial-recognition system identifies people who never consented and may never know they were scanned. myID does the opposite: a user voluntarily presents themselves to prove they are who they claim, in a one-to-one match against documents they chose to enrol. The Digital ID Act 2024, under which AGDIS is accredited, was built to keep it that way — and the early evidence is that the guardrails are real.
The safeguards are the story
Two Office of the Australian Information Commissioner assessments make the point. In its September 2024 review of biometric destruction, the OAIC found the ATO destroys facial images immediately after verification in the standard case, with iProov permitted to retain an image for up to 14 days only where it is suspicious or inconclusive — and even that narrow window required a specific exemption, with the regulator pushing for tighter documentation of the destruction process (OAIC). In an August 2025 assessment of law-enforcement access, the OAIC found the ATO compliant with section 54 of the Digital ID Act and noted there was little biometric data to hand over precisely because so little is retained (OAIC).
This is what proportionate biometric policy looks like in practice: collect narrowly, retain briefly, delete by default, and submit to an independent regulator with teeth. It is the inverse of the always-on, retain-everything model that earns the surveillance label.
Where vigilance still belongs
None of this licenses complacency. The scale-up changes the stakes. AGDIS now carries 15 million myIDs and processed 80 million verifications in its first year under the Act (Minister for Finance), and the 2026-27 federal budget commits A$654.3 million to expansion, including A$357.4 million to the ATO for myID (Biometric Update). Three watch-points deserve naming. First, the extension to diaspora documents widens the data footprint and the attack surface; the 14-day retention discipline must survive that growth. Second, voluntariness is a policy choice, not a law of nature — if more of the 255 government services on AGDIS become reachable only via myID, "optional" becomes mandatory by stealth, and Parliament should resist that drift. Third, the deepfake arms race the tender responds to is permanent; today's EAL2 attestation is a floor, not a finish line.
The right posture is neither reflexive alarm nor blank-cheque enthusiasm. Australia is upgrading a consent-based authentication tool against a real and rising fraud threat, inside a statutory framework that mandates deletion and invites regulatory scrutiny. That is the model other democracies should study — and the standard against which this very upgrade should be held as it rolls out.