At the Internet Society Asia-Pacific Bureau’s meeting on privacy earlier this month, a representative of a government asked how we could have national identification systems that protected privacy. From what I gathered from the conversations that followed, several governments are looking to set up national IDs in the Asia Pacific region.
While having a national ID system is by itself problematic, here is a quick list I made on how not to make a mess of your national ID – if you want to have one despite its risks – along with an explanation for each point:
1. Make it optional: A mandatory national ID is a recipe for surveillance and runs the risk of citizens’ data being compromised in one way or another. Even an optional national ID stands the chance of becoming “voluntary but mandatory” – as the joke about Aadhaar goes – where making it mandatory for services that cover almost the entire population, such as getting mobile services, means that it becomes mandatory for the entire population. Remember that data will get collected, stored, shared and compromised. By making it mandatory, you rob people of the choice of not getting a national ID, and of the option of protecting themselves against potential hacks, leaks and malafide intent and persecution from future or current dictators.
National IDs and associated data do get hacked and leaked. Estonia, the poster child of digital governance, has had to suspend its digital identification cards. Spain is facing a similar problem. In the United States, 143 million social security numbers have been compromised. And at least 130 million Aadhaar numbers have been published online by the government in India.
2. Make it one of many IDs for authentication: Federated means of identification ensure people can identify themselves where needed without necessarily compromising the only ID they have. A credit card theft does not affect debit card usage. The theft of a driver’s licence as an identity does not affect the collection of bank subsidy. However, the more linkages you create for a single ID, and the more places people use it, the risk of identity theft increases. By limiting usage – for example, for bank accounts, mobile phones, college exams, mutual funds, stock market trading – to a single ID, you run the risk of making that national ID a single point of failure for an individual. Databases will get compromised. Thus, you also run the risk of making it a single point of failure for your entire citizenry/population.
3. Give control to users, to change and revoke an ID: Every instance of usage should be shared with the person supposedly using the ID, just like with messages and cash withdrawal. This helps because in case the ID is compromised, the user can contact the ID authority or the data controller and ask them to revoke or freeze usage. The most important aspect of this is that the ID number must not be a permanent, non-changeable number. The Indian passport, for example, once stolen, is re-issued with a different number. There is also the issue of bounded rationality: that people do not necessarily fully understand the implications of what they are signing up for. Thus, if they feel a few years later that having a national ID puts them at risk of their data getting misused or compromised, they must have the right to revoke it. Consent should not be forever.
4. Enforce usage of derived authentication/pseudomisation: The usage of derived identification numbers, or of artificial and/or temporary identification numbers, means that the core national ID does not typically get exposed. This means that each derived ID has a limited use case and/or a limited shelf life, and this mitigates the potential harm from a single ID leaking or being exposed. A national ID by itself should never be a means of identification. For example, see what Austria has done.
5. Give citizens legal right to recourse: A legal recourse is a deterrent against misuse. While it may sound inexplicable that someone cannot sue an entity that has stolen their data, or sue a data controller against improper storage/security or conduct when it comes to processing or storage of this data, that is what has happened in the case of India’s national identification project Aadhaar. There is no legal deterrent against, say, publishing data online, which has been done by 210 government websites, just four of which published the data of 130 million Aadhaar holders. An option of a legal recourse against something that compromises your personal data acts as a deterrent against such acts. All it takes is for one case to make everyone change the way they operate.
6. Purpose limitation for national ID usage: A national ID that is digitally linked to and can authenticate a large number of services is likely to be seen as a key reason, and a significant convenience, for having a national ID. However, it is important to not link the national ID for services where it is not absolutely necessary, where you do not have an option for something to function without the ID linkage. The more the cases for usage of national IDs, the greater the risk of social hacks that can compromise even the most digitally literate citizens. This leaves the illiterate and the digitally illiterate, or neophytes, even more vulnerable: they do not know the risks of the consent that is given. This is where a consent is insufficient.
Most importantly, the national ID should not be linked to sensitive personal data such as DNA banks and health records. The national ID becomes especially problematic when it is linked to external, non-governmental databases such as mobile numbers, and is used to share personal data with a mobile operator, given that governments and ID authorities do not necessarily have the wherewithal or capacity to monitor the security practices of third parties.
7. No biometric authentication: I cannot emphasise this enough. Biometric information is a permanent identifier and can be easily compromised. Fingerprints can be copied from high resolution photographs, or from that glass you just held. So can the iris. Social hacks can lead to copying of fingerprints, say, if someone puts a fake authentication machine before you, before they place the real one. Sure, credit cards can be copied too, but cards can be replaced. Your fingerprints cannot. If you have a permanent ID (say, Aadhaar) and a permanent password (your fingerprint), one getting compromised means someone only needs the other factor and you are compromised forever. Note that the mobile one time password is not secure either and has been used in hacks in the past, and mobile networks operate on a maximum of 44 bit encryption.
Outside of security, digital, biometric authentication also suffers from other factors: for example, lack of internet connectivity for authentication, fingerprints getting worn out – a problem faced by manual labourers and the aged. Such situations could end up depriving those who really need it, for their benefits.
8. Data protection law comes before national ID: One of the key mistakes India made with Aadhaar is that there is no data protection law yet while the national ID has been around for almost seven years. An Act governing the national ID was not even passed until almost five years of the ID being around. Thus, no privacy principles have been established, no norms regarding data collection, storage, transfer, linkages, sharing and disposal are in place. There are no penalties in place for violations of these norms either. It is a free-for-all. Do not do this.
9. Do not hurry or push for 100% penetration: Undue haste and the creation of deadlines for enrolment for a national ID can create panic among citizens. And such situations lend themselves to exploitation and faud, especially in scenarios where people are being denied their entitlements, or run the risk of key accounts – like their bank accounts – getting frozen for lack of having a mandatorily linked ID. Do not subvert democracy to increase the speed of enrolment. Instead, if you must have a national ID, roll it out without haste, at the convenience of people, with improved checks and balances. Above all, do not outsource enrolment to third party agencies, paying them on a per enrolment basis, which then creates a perverse incentive for maximising enrolments. Speed causes more harm than good here.
10. A budget for citizen awareness, education and grievance redressal: Something as significant as a national ID project can lend itself to a lot of misinformation and misinterpretation. There are also likely to be several issues related to enrolment, registration and authentication.
This is, of course, besides the point that there are excellent reasons for not having a national ID, such as:
- Linking multiple databases to a single ID is harmful for citizens. It is more likely to form the basis of a mass surveillance system and has the risk that a fascist regime can use it for ethnic cleansing or segregation.
- It does not address terrorism or volume-based pilferage of benefits, which are likely to continue despite a national ID. It can, in fact, be used to deny people benefits.
- It creates a new power centre, from the perspective of a single body that has the power to delist an individual from the database, thereby delinking them from essential services (if those are linked to a national ID).
- It is also worth noting that data is a toxic asset, and the harm from losing data when it gets leaks or hacked is far greater than the benefit of collecting and storing that data.
This article first appeared on Medianama.