Digital rights groups call for moratorium on biometrics in digital ID systems
Digital rights organization Access Now has posted an open letter to its website, co-signed by numerous other organizations in the space, challenging the assumption that digital identity programs empower users, and suggesting that the use of biometric identifiers in such systems pose an increased security risk to the individuals programs are supposed to benefit. The letter starts with the basic question “Why ID?” and concludes with a call for a moratorium on biometric authentication for digital identity programs.
The letter is addressed to the leaders of International Development Banks, the United Nations, International Aid Organizations, Funding Agencies, and National Governments, and is co-signed by the Electronic Frontier Foundation (EFF), Fight for the Future, Human Rights Watch, HumanFirst.Tech, the Internet Freedom Foundation, Privacy International, The Tor Project, and more than three dozen other organizations based in Africa, Asia, Europe, and Latin America.
“We have worked directly with vulnerable populations, and witnessed the impact that ill-considered, badly designed, and poorly implemented digital identity programmes can have on human lives,” the letter authors write.
Access Now is a group providing hands-on technical assistance to civil society groups, activists, journalists and others facing digital security threats, as well as advocacy, policy guidance, and grants to help digital rights projects. The group also hosts RightsCon, and generally works to defend and extend digital rights around the world.
Poorly implemented systems risk scaling the potential harms of digital identification, without necessarily providing the intended benefits, according to Access Now. Problems identified with current digital ID programs include the centralized and ubiquitous model, which enables surveillance and can be detrimental to privacy rights, the single source of failure that is created by attempts to achieve a “single source of truth,” and the mandatory nature of most programs, which the letter claims leads to individuals being excluded. Marginalized communities such as refugees, transgender people, and people with HIV are those most affected, and have no negotiating power when faced with registration as a pre-requisite for receiving aid, according to the letter.
Noting the increasing popularity of fingerprint, iris scans, and facial recognition for user enrollment and authentication, the letter states that because biometric data can be hacked but not reset or changed when this happens, it poses a higher security risk.
The groups ask the letter recipients to answer a set of questions, including why foundational digital identity systems are necessary, why they are mandatory, why they are centralized, and why so many programs do not follow security guidance from expert and standard-setting bodies on the use of biometric identity systems, referring specifically to NIST and the IEEE. Digital identity community stakeholders are called upon to evaluate systems, and halt them if necessary, to put the necessary safeguards in place. They are also called upon to place a moratorium on the use of biometrics for authentication, “until it can be proven that such biometric authentication is completely safe, inclusive, not liable to error, and is the only method of authentication available for the purpose of the programme.”
The signing organizations conclude that international, regional, and national leaders need to explain why they are pursuing digital identity programs at all, and particularly in the way they are doing so, and that all policy should be driven by the promotion, empowerment, and protection of human rights.