Digital ID Systems

Government responses to COVID-19 reinforce the need to ask — #WhyID?

The ongoing global health crisis has demonstrated with painful clarity the risks posed by digital identity systems that centralize biometric data, health records, and other sensitive personal information. Those in our communities already facing marginalization have been hit the hardest by COVID-19, and they will also face the most severe long-term effects from policies being implemented without proper consideration for human rights.

Cutting off access to essential resources

COVID-19 has amplified the existing inequalities present in our societies. The lockdowns, shelter-in-place orders, and other restrictions governments have adopted to slow the spread of the disease, while largely necessary, have imposed a significant economic burden — especially for those for whom one day’s pay is the difference between food on the table and going to bed hungry. 

Governments around the world are responding to COVID-19 and its social and economic impacts by distributing resources to their citizens, and the World Bank has recently praised countries leveraging government-to-person payments. Well before COVID-19, many in the development sector have promoted centralized national identity systems and databases as the solution for improving access to these kinds of public services and ensuring that everyone can receive the resources being distributed. 

In practice, though, many of the people who need this help the most — like those living in low-income and underserved communities or refugees — face even more obstacles when receiving it is contingent upon having this specific form of ID. In his evaluation of Ireland’s Public Services Card, Philip Alston, Special Rapporteur on extreme poverty and human rights, explained that “too many of those living in poverty, including people with disabilities and other marginalised groups, are unable to get the support they need as a result of the requirements involved.” 

In Venezuela, where people were already facing extreme economic hardship well before the coronavirus outbreak, the impacts have been even more severe. The Maduro government made possession of the “fatherland card” — which also ties together everything from medical history to property ownership to political affiliations and voting records — a requirement for receiving public and cash benefits. Many have expressed concerns with the workings of the system and that it is used to direct resources to those who demonstrate their loyalty to Maduro’s regime.

Any national digital identity system must be both equitable and accessible, ensuring no one is excluded either intentionally or as a result of cumbersome regulations.

Many countries, including Ireland, have acknowledged this issue and have waived requirements to produce a national digital ID for accessing benefits in these challenging times, which, as Alston points out, is further evidence that the burden these systems are placing on at-risk individuals, under any circumstances, is too high.

Undermining fundamental privacy rights

COVID-19 has also spurred a rush toward new forms of surveillance, in some cases well-intended to fight the pandemic but without proper consideration for privacy implications, and just as often not-so-well-intended, using the crisis as cover for cracking down on dissent, monitoring activists and journalists, and implementing new tools for societal control.

Upholding the right to privacy is an essential component of any COVID-19 response, and governments should not take advantage of the crisis to accelerate implementation of digital identity programs — especially where biometrics and other highly sensitive personal information are at stake. 

The Prime Minister of Jamaica recently issued a statement calling on his government to push forward on implementing a controversial digital identity program in response to COVID-19, arguing “we cannot waste a crisis.” But just last year, Jamaica’s Supreme Court struck down the legislation establishing the new ID, arguing that the scope of data collection, including requirements for biometric data, violated the right to privacy.  

Looking to India, we are seeing calls to expand the use of the national digital identity program known as Aadhaar for state surveillance. This would include cross-referencing the Aadhaar database with feeds from facial recognition cameras, as well as creating a searchable “database of databases” that would centralize information about every aspect of a person’s life. There have also been many calls to create health-related databases leveraging information connected to the digital identifier. Like many developing countries, India does not have a robust, rights-respecting data protection and privacy framework, and is in need of comprehensive surveillance reforms. 

In Kenya, the government has blamed its struggles to deliver cash benefits to its citizens on a lack of data caused by the restrictions courts put in place on the rollout of the Huduma Namba national digital identity program — which went as far as collecting DNA records and GPS locations of personal homes. But experience tells us that more data on its own is not a solution — and often puts people further at risk. In the U.S., the government has promised to distribute $1,200 to each person earning less than $75,000 per year. The Internal Revenue Service (IRS) is handling the payments based on data from 2018 and 2019 tax filings. But even with all the data they need, the IRS has been struggling to effectively deliver this support, leaving 100 million Americans without any assistance.

Lastly, we have already seen far too many cases around the world demonstrating the impact of data leaks and breaches. Already in Honduras, the personal information of individuals infected with the virus have been exposed due to the government’s mismanagement of an internal report. The risk of this kind of exposure only grows under a centralized digital identity system, which has a single point of failure and a very high payoff for those who seek to gain access to sensitive data.

The crisis should not be used as a tool to create long-term surveillance regimes, and digital identity ecosystems must be designed to guard against “mission creep” that pushes the limits of what data is collected and how it can be used. Such practices lead to the creation of mammoth yet fragile systems with inadequate protections for people’s rights. 

Digital identity systems should never be viewed as a panacea or silver bullet that can be applied in any context to fix complex problems. The challenges we are all facing under COVID-19 make that even more clear. It is essential that governments, development agencies, funders, and all other stakeholders first ask the question #WhyID, closely examining whether this tool will respond to the needs of those most at risk, and if so, ensuring the system is built upon a strong foundation of human rights frameworks.