Tunisia biometric passports

Digital identity programs: what could go wrong? Our contribution at UNCTAD’s E-Commerce Week

On Monday, Access Now participated in a panel on digital identity programs and data protection, hosted by the United Nations Conference on Trade and Development (UNCTAD) and the World Bank. The discussion was part of UNCTAD’s annual e-Commerce Week.

It may be more trendy in some countries than others for policymakers to discuss the concept of digital identity. Regardless of the level of public debate, however, we are seeing efforts to push the implementation of digital identity programs that create national databases of people’s personal information — often including biometric data — rapidly gain traction. As we highlight in our recently released working paper, National Digital Identity Programmes: What’s Next?, many governments are either considering, creating, or implementing some form of digital identity program. Yet such programs expose us to human rights risks. They can undermine the right to privacy, and chill freedom of movement, the freedom of expression, and other protected rights. They also carry significant risks for cybersecurity and information disclosure.

On the international stage, some multilateral actors and institutions are promoting these programs as a solution to numerous social problems, such as access to basic services and education, national security, and facilitation of administrative services. This positioning is usually presented within the context of fulfilling the Sustainable Development Goals (SDGs), namely, SDG 16.9, which states:

        “By 2030, provide legal identity for all, including birth registration.”

The proposed indicator for this SDG is the “proportion of children under five years of age whose births have been registered with a civil authority, by age.”

Providing a legal identity is a laudable goal, especially since it can benefit refugees and stateless peoples. A legal identity is usually understood as legal documentation certifying one’s identity through basic data about one’s personhood (such as your name and the date and place of your birth). But legal identity should not be conflated with digital identity. Digital identity can comprise basic information about your identity, and data for authentication, including unchangeable biometric data such as thumbprints or iris scans. To “leapfrog” from establishing legal identity to a particular form of digital identity that can encompass so much more — with the increased risks of data compromise, exposure, and much more — is to introduce a range of serious issues that governments might otherwise avoid.

Further, national digital identity programs can serve to thwart their own stated objectives. At its heart, SDG 16 is about inclusiveness and access to justice, institutions, and basic services. What happens when a program to facilitate inclusion only perpetuates patterns of exclusion? For example, in India, hundreds of thousands of people have been denied access to basic services because they either (1) do not have an “Aadhaar” (digital identity) card, or (2) their digital identity is “incomplete” because their fingerprints have not been uploaded to the national database due to poor internet connectivity.

Finally, privacy is the cornerstone of human rights in the digital age. Despite the potential benefits of digital identity programs, the risks to privacy that are associated with these programs are too significant to ignore. The Cambridge Analytica scandal is only the latest demonstration that our data can be exploited in ways that harm our democracies, and that we need to build stronger legal and policy frameworks to protect it. It is crucial that we bring the issue of digital identity into our trade and e-commerce discussions.

With digital identity programs, governments are creating digital infrastructure, and this infrastructure can be more permanent than any real-world bridge we build. We are already learning from mistakes with digital identity, such as the vulnerability in Estonia’s 760,000 chip-equipped identity cards, or the access to India’s Aadhaar system that enabled the purchase of the personal data of over a billion Indians for $10 USD. However, this is no time to “build and fix later.” Instead, we must ensure that if a digital identity program is created, it is built in a way that accords with human rights: from conceptualization, to implementation, to maintenance. It is crucial to weave the right to privacy into all public and private transactions on the internet, including those that use identity as authentication. Any existing or proposed program that does not provide sufficient human rights protections should immediately be suspended and restructured.

Our fundamental human right to privacy is provided by Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and 167 states have ratified this instrument. Every government that seeks to protect this right should take the time necessary to pause, reflect, and assess what digital identity programs will mean to our global society.

We hope that our contribution to the panel discussion on Monday helped shed some light on the vital human rights issues associated with digital identity programs. As an organization committed to protecting the digital rights of users at risk, we look forward to continuing to work with stakeholders around the world to ensure that we are creating a digital infrastructure that benefits, rather than harms, our societies.