An open letter to the leaders of international development banks, the United Nations, international aid organisations, funding agencies, and national governments:
We are a group of civil society organisations, technologists, and experts who work on digital identity developments across the world. We urge you to consider the impact that ill-considered, badly designed, and poorly implemented digital identity programmes can have on human lives, and follow our recommendations to protect human rights. We urge that some basic questions on the objectives, need, and benefits of these digital identity programmes must be answered before pursuing the what, the how, the when, and the who of digital identity. We write to raise our voice and ask this very first basic question — Why ID?
A Basic Question: Why ID?
There is a generalised assumption that certain kinds of digital identity programmes empower users, especially those in marginalised populations, by giving them legal identification and access to public services. Digital identity programmes can provide some of the same benefits to users as conventional identity and can reap the benefits of scalability of technology. However, the scalability of digital identity programmes also makes their harms scalable. It is far from being proven that most digital identity programmes have brought additional benefits to users, without placing them at risk.
Current justifications for these programmes are often theoretical, and programmes are deployed without suffficient supportive evidence of the promised benefits. On the other hand, the harms that are suffered by individuals through badly designed and implemented digital identity programmes are real and in many cases, irreparable. Unfortunately, marginalised populations suffer the greatest harm. These digital identity programmes are all too often designed and implemented without a recognition of regional and local realities and without the consultation of key stakeholders including the most vulnerable. If many developed countries have questioned and opposed similar digital identity programmes, why are they being routinely deployed in the developing world?
Human agency and choice form the foundation of human dignity. Humans being enrolled in any programme have a basic human right to understand the system and its justification and participate in designing its structure and implementation. Some basic questions on the objectives, need, and benefits of these digital identity programmes must be answered before pursuing the what, the how, the when, and the who of digital identity.
Current Problems with Digital ID Programmes
Most digital identity programmes follow a centralised and ubiquitous model, without delivering incremental benefits to users. The central digital identity is linked to multiple other IDs and purposes for each user. This framework provides an ability to track and log everyday activities and transactions of a user. High profile cases have demonstrated that these programmes can create the risk of 360 degree profiling and surveillance of users by governments and private actors with access to the databases associated with such programmes. Such an ecosystem can be hugely detrimental to the fundamental right to privacy of users. The problem is accentuated in countries with a lack of comprehensive privacy and surveillance frameworks, compromised institutional standards, and weak independent enforcement. In such countries, financial incentives become stronger for governments and private businesses to delay and dilute privacy and data protection standards, while enabling risky digital identity programmes.
Some proponents of such centralised programmes defend their deployment to achieve so-called “single source of truth” models. These models, however, end up creating rather a single point of failure, which may provide access to sensitive information of communities and even entire populations. Such centralised architectures also attract malicious actors and hence represent bad cybersecurity policy. One breach into the ecosystem could destroy the sanctity and safety of the database.
The mandatory nature of most digital identity programmes leads to exclusionary outcomes. Marginalised groups unable to enroll, due to a variety of circumstances, such as poor technology infrastructure, gaps in technology design, etc., are not able to exercise their basic rights. Enrollment in a digital identity programme must be optional. A digital identity cannot be a precondition to access basic services and rights.
Marginalised populations are being affected the most. Populations such as refugees, transgender people, and those affected by HIV are being required to register in digital identity programmes, as a pre-condition to receiving aid. It is distressing to see international institutions and organisations in charge of aid programmes requiring registration to these types of digital identity frameworks. It is essential to understand that vulnerable populations have a complete lack of negotiation power in such circumstances; consent in such circumstances is hardly valid consent and such enrollment can become coercive. It is incumbent on the aid provider to respect the rights of these populations, while providing aid.
Biometric identifiers, including fingerprints, iris scans, and facial geometry, have become increasingly popular as a means of enrolling individuals into systems and then authenticating users. Biometric data is vulnerable to hacking just like other authentication methods. However, unlike a password, biometric indicators cannot simply be reset or changed as needed. This poses a higher security risk, since it becomes increasingly difficult to repair the damage done by leaks or hacks of biometric data, and thus restore sanctity to biometric-based systems.
Key Questions and Recommendations
Considering all the issues stated above, the proliferation of digital identity programmes is deeply concerning. Human rights must form the centre of all considerations related to digital identity programmes.
We therefore request the champions and supporters of such digital identity programmes to: [ 1 ] Respond to WhyID? The basic WhyID question has several elements that must be asked at the onset of any digital identity programme in any given region or country:
- Why do we need these foundational digital identity systems? What are their benefits?
- Why are such programmes deployed without sufficient evidence of the benefits that they should deliver? How do these programmes plan to reduce the risk to and safeguard the rights and data of users?
- Why should it be mandatory – either explicitly or de facto – for users to enroll onto these programmes? These programmes are either mandatory through legislative mandates or through making them a precondition to essential services for users.
- Why are these programmes centralised and ubiquitous? Why is one digital identity linked to multiple facets of a citizen’s life?
- Why are countries leapfrogging to digital identity programmes, especially in regions where conventional identity programmes have not worked? The scalability of digital identity programmes also makes their harms scalable.
- Why are these digital identity programmes not following the security guidance coming out of various expert academic and technical standard-setting bodies on the use of biometrics in identity systems?
- Why are some private sector enterprises being privileged with access and ability to access the ID systems and build their private businesses on top of them? What safeguards are being implemented to prevent the misuse of information by the private sector? What should be the role of the private sector in the identity ecosystem?
Those who promote these programmes must first critically evaluate and answer these basic WhyID questions, along with providing evidence of such rationale. In addition to answering these questions, these actors must actively engage and consult all actors. If there is no compelling rationale, evidence-based policy plan, and measures to avoid and repair harms, there should be no digital identity programme rolled out.
[ 2 ] Evaluate and, if needed, halt: The potential impact on human rights of all existing and potential digital identity programmes must be independently evaluated. They must be checked for necessary safeguards and detailed audit reports must be made public, for scrutiny. If the necessary safeguards are not in place, the digital identity programmes must be halted.
[ 3 ] Moratorium on the collection and use of biometrics (including facial recognition) for authentication purposes: Digital identity programmes should not collect or use biometrics for the authentication of users, until it can be proven that such biometric authentication is completely safe, inclusive, not liable to error, and is the only method of authentication available for the purpose of the programme. The harms from the breach of biometric information is irreparable for users and the ecosystem.
The undersigning organisations expect international, regional, and national leaders to address the why before they act. Those who promote digital identity programmes must thoroughly answer these questions, and follow human rights-centric approaches to identity. Each identity programme has an inherent requirement of trust from the user. Trust can only be built on the foundation of transparency and accountability. Trust can only be built when systems are designed to promote, empower, and protect the rights of citizens across the world. And that is exactly what the main objective of all policymakers should be.
#WhyID: Add Your Name
You can also sign the letter, join the mailing list, or find out more about our ongoing collective work on digital identity by emailing [email protected].
- A Common Future (Cameroon)
- Access Now (Global)
- Accountability Counsel (Global)
- Action for Research and Development (AFORD) (Kenya)
- ADUCID (Czech Republic)
- AfroLeadership (Cameroon)
- Alternatives, Inc. (Canada)
- Article 19 (Global)
- Article 19 Eastern Africa (Kenya)
- Article 21 Trust (India)
- Asociación por los Derechos Civiles (Argentina)
- Association for Progressive Communications (APC) (Global)
- ASUTIC (ICT Users Association) (Senegal)
- Bareedo Platform (Somalia)
- Bits of Freedom (The Netherlands)
- Body & Data (Nepal)
- Centre for Minority Rights Development (Kenya)
- Civil Liberties Union for Europe (Europe)
- Civil Pole for Development and Human Rights (Tunisia)
- Collective Data Trust (Global)
- CORE (USA)
- Civilsphere Project (Czech Republic)
- CRC4D (Netherlands)
- Cytech (Greece)
- Danube Tech (Austria)
- Darfur Organization for Development and Human Resources (DOFDAHR) (Sudan)
- Data Protect (Rwanda)
- Data Rights South Africa (South Africa)
- Den norske Uighurkomiteen / Norwegian Uyghur Committee (Norway)
- Derechos Digitales (Latin America)
- Digital Economy Forum (DEF) Nigeria
- Digital Rights Foundation (Pakistan)
- Digital Rights Nepal (Nepal)
- Digital Rights Watch (Australia)
- dotCIVICs (Africa)
- Electronic Frontier Finland (Effi) (Finland)
- Electronic Frontier Foundation (EFF) (Global)
- Epicenter.works (Austria)
- Ethics in Technology (USA)
- Fight for the Future (USA)
- Foundation for Media Alternatives (Philippines)
- Freedom House (Global)
- Fundación Acceso (Central America)
- Fundación Datos Protegidos (Latin America)
- Fundación Huaira (Anden Region, Latin America)
- Gambia Cyber Security Alliance (Gambia)
- GamCON Infosec Community (Gambia)
- Gala Initiative Uganda (Uganda)
- Give1Project Gambia (Gambia)
- Global Identity Foundation (Global)
- Global Data Justice (Global)
- Homo Digitalis (Greece)
- Human Rights Online Philippines (Philippines)
- Human Rights Watch (HRW) (Global)
- HumanFirst.Tech (USA)
- Hiperderecho (Peru)
- HORIBA Europe GmbH (Germany)
- HTTPS Card – Internet Identity Card (United Kingdom)
- Immigrant Defense Project (USA)
- Impacto Digital (Argentina)
- Imperial College London Infectious Diseases Society (United Kingdom)
- Innovative Identity Solutions Limited (United Kingdom)
- Innovation For Change (I4C) (South Asia)
- INSPIRIT Creatives (Germany)
- Institute for Technology and Society of Rio de Janeiro (Brazil)
- Internet Freedom Foundation (India)
- Internet Policy Observatory, Pakistan (Pakistan)
- Internet Sans Frontières (Global)
- Inuka Afrika Initiatives (Kenya)
- IPANDETEC (Central America)
- IVPN (Europe)
- Jamaicans For Justice (Jamaica)
- JCA-NET (Japan)
- Karisma (Colombia)
- Kenya Human Rights Commission (Kenya)
- KICTANet (Kenya)
- Kijiji Yeetu (Kenya)
- Kiyita Foundation (Uganda)
- Lawyers Hub (Kenya)
- Majal.org (MENA)
- MAKS vzw
- Manushya Foundation (Asia)
- MediaForce (Kenya)
- Media, Health & Rights Initiative of Nigeria (Nigeria)
- Metamorphosis Foundation (Europe)
- Myanmar ICT for Development Organization (MIDO) (Myanmar)
- Namati (Global)
- Next Unicorns (Spain)
- Nubian Rights Forum (Kenya)
- OpenConsent (United Kingdom)
- Open Culture Foundation (Taiwan)
- Palmetto Privacy (USA)
- Paradigm Initiative (Africa)
- PEN America (USA)
- Privacy International (UK)
- Privacy Matters (Global)
- R3D: Red en Defensa de los Derechos Digitales (Mexico)
- SelfDID (Global)
- Senegal ICT Users Association (Senegal)
- SFLC.in (India)
- Smart Species (Canada)
- Society Vrijbit (The Netherlands)
- Spectrum (MENA)
- SSI Korea (South Korea)
- STOPAIDS (UK)
- Swathanthra Malayalam Computing (India)
- Taiwan Association for Human Rights (Taiwan)
- Techfugees (Global)
- TEDIC NGO (Paraguay)
- Thai Netizen Network (Thailand)
- The IO Foundation (Global)
- The Loki Project (Australia)
- The Tor Project (Global)
- Tykn.tech (Netherlands)
- Ubunteam (Africa)
- Unwanted Witness Uganda (Africa)
- Usuarios Digitales (Ecuador)
- VE Inteligente (Venezuela)
- WA People’s Privacy (USA)
- WITNESS (Global)
- World Impact Cabo Verde (Cabo Verde)
- 7amleh (Palestine)
- #PRESS4WORD (USA)
- #SeguridadDigital (Mexico)
- @AmarantaONG (Chile)
Adam Oxford, Adam Williams, Adrian Stanton, Agneris Sampieri, Ahmad Gharbeia, Alex Ducjesn, Albert Sho, Alberto Cottica, Alex Srebroski, Alia Yofira, Amadou Ceesay, Amba Kak, Amber Sinha, Amy Di Benedetto, Ana Serrano, Anas Ambri, Angel Averia, Anivar Aravind, Anne Oloo, Antonio Max, Anthony Decker, Anumeha Yadav, Armin Hashemi, Audrey Tang, Ayse Sargin, Bhavani Prasad Yerrapalli, Bendjédid Rachad Sanoussi, Berhan Taye, Bernadette Kamleitner, Blessing Ajimoti, Brian Sang, Bridget Andere, Brindaalakshmi K, Brittney Gravatt, Bruno Souto, Bulanda T Nkhowani, Cameron McClure, Carol Sakey, Catherine Muya, Celina Carvalho, Celinie Nguyen, Charles Juma, Charles Mok, Charles Nyukuri, Charlie Martial Ngounou, Chido Musodza, CJ Macbeth, Connor Gordon, Craig Gabelich, Damian Loreti, Daniel Graf, Danny Rayman Labrin, Darrell Greenwald, David Behery, David Fornazier, David Way, Dean Bukovac, Debora C., Dinesh M R, Donna Wentworth, Dorcas Nyamwaya, Drachen Birch, Dwight Keafer, Ebaa Al Boiny, Eddington Shayanowako, Eduardo Carrillo, Eduardo Torres, Eleanor Hagopian, Elena Hazimin, Ellie Walker, Elizabeth Garber, Emma Gull, Ephraim Percy Kenyanito, Eric Dekkers, Eric Dunn, Erica Corr, Esa Kari, Esther Payne, Eugene Ngumi, Dr. Eve Hayes de Kalaf, Fatima Al-Aswadi, Federico Ponce de Leon, Felicia Anthonio, Felix von Cossel, Fouzi Fouzi, Francesca Fanucci, Frankie Bost, Gautam Bhatia, Geofrey Masinde, Gigorii Artamonov, Gloria South, Grady Grey, Greg Adamson, Gulsen Guler, Harry Sufehmi, Harvey Manuella, Hatem Ben Romdhane, Hector Dominguez, Henk Marsman, Henry Koh, Hui-Ju Tsai, Ibrahim Cisse, Ine van Zeeland, Iria Puyosa, Isabela Carvalho Regis, J Barnes, Jade Lyngdoh, Jake Roberson, James Ting-Edwards, Jamie Hancock, Janaina Costa, Jaume Dubois, Javiera Moreno Andrade, Jennafer Roberts, Joe Leposo, Joost van Selm, Jordan Delong, Jovante Hall, Juan Rivera, Julie Greenn, Kaliya Young, Karan Saini, Kawai L, Kehinde Adegboyega, Keiko Fukutomi, Keren Weitzberg, Kevin Gallagher, Kim Pratt, Kira Allmann, Kiran Jonnalagadda, Laurent Cote, Len Manriquez, Leo Fang, Lexine Maris, Liam Giombetti, Lina Alhathloul, Linda Dresh, Loren Giordano, Lori Roussey, Lucas Hernán Minutella, Lucas Pimentel, Mahi Seid, Malavika Jayaram, Malek Abidi, Manoj Nayak, Marcelle Ngounou, Maria Recalde-Vela, Marian von Bonin, Marianne Díaz Hernández, Marlena Wisniak, Martin Krafft, Matias Devred, Matthew Mahmoudi, Mehrang Mashaghati, Mei Chia, Michael Jeitziner, Michael Lipo, Michael Oghia, Mirjam Twigt, Mohamed Farahat, Mohammed Munawwar Hasan Hamoud, Mus ab Saidu, Mohamed Siddig Hassan, Marilene Oliver, Mike Flood, Morisola Alaba, Nadeem Anthony, Nagarjuna G, Naman M. Aggarwal, Nanjira Sambuli, Naushaad Gasieta, Neha Gauchan, Nikita Reichelt, Nnadozie Daniel Kanu, Nthabiseng Pule, Nuttawut Suwannatrai, Olumide Babalola, Patricia Thompson, Paul Mwangi, Pavel Hrdina, Phil Booth, Pradeep Esteves, Prasanna S, Pyrou Chung, Raabia Farooqi, Ranjeet Singh, Rebecca Tabasky, Renata Androvicova, Revath S Kumar, Ria Singh Sawhney, Redae Nigus, Robby Hernandez, Rob van Kranenburg, Rodolfo Bautista, Rogério Assis, Romi Massih, Rui Santos, Ruth White, Samantha Evans, Sankarshan Mukhopadhyay, Sanket Tambare, Sapto Hadi, Sara Attafi, Sarah Davies, sarah taft, Sarah Spiekermann, Sarvjeet Singh, Shannon Linde, Shayan Anique, Shireen Mitchell, Sholanke Elijah, Shyam Krishna, Sibel Hulusi, Siddharth Prakash Rao, Sigi Mwanzia, Simon Treen, Siobhan Talty, Sonja Helasvuo, Sophie Taylor, Soudeh Rad, Stacie Dagres, Stefania Milan, Stéfani Reimann Patz, susan francis-lynch, Susie Dresh, Sven Diederichs, Szeming Tan, T Donovan, Tanzeel Khan, Tarek AlGhorani, Terri Chollet, Therin Rhaintre, Thomas Henry, Tiffany Brace, Tim Nelson, Timon Jobic, Timothy Reiniger, Tony Liu, Tony Nicholas, Tony Roberts, Travis Carman, Urbano Moreno, Usha Ramanathan, Vagisha Srivastava, Valentina Wijiyati, Vasundhar Boddapati, Varun R, Veikko Eeva, Verónica Arroyo, Vinay Vasanji, Vishal Singh, Vladimir Baryshnikov, Wendolynn Kendall, Wil Hamlin, Yazeed A., Yesha Tshering Paul, Yi-Huan Tang, Zahra Khalid
This letter was facilitated by Access Now, an international non-profit organization that works to extend and defend the human rights of users at risk across the globe. To join the #WhyID list and learn more about our ongoing collective work on digital identity, please contact [email protected]