Digital ID data and fragility: the Dark Side of Identity, Part 2
What can happen with data amid the realities of fragile environments such as places of conflict, natural disaster or political unrest is a potential ‘dark side’ of digital identity, and the focus of the second in a trilogy of livecasts exploring systemic risks.
ID4Africa generally champions the opportunities and benefits brought by legal and digital identity systems, but also wants to highlight the potential vulnerabilities and abuses. Part 1 of the trilogy examined issues of inclusion in digital ID system while the second webinar, available on YouTube, heard from academics, activists, lawyers and identity scheme staff on vulnerabilities in identity projects, government abuse, hacks and lack of trust between countries or even government departments.
Identity data threats and warfare without the control
Participants discussed whether identity is data and what constitutes core identity or simply an identity attribute and whether it should be collected, with a view to data minimization. A distinction should also be made between a country’s civil register and its identity system, noted Jonathan Marskell, senior program officer ID4D, World Bank. While attributes such as ethnicity are important for a country’s statistics derived from the civil register, such attributes should not be included in an individual’s identity.
Argentina’s major identity breach was used as a case study by Tunde Okunoye, research affiliate at the Berkman Klein Center for Internet and Society, Harvard.
The records of all 45 million people registered on Argentina’s national identity database, Renaper (Registro Nacional de la Persona), were hacked. Celebrities’ details were put up for sale. Okunoye made the distinction between literacy levels in a country and their cyber security awareness. Argentinians are assessed as being at the second step – ‘formative’ – of a step scale from ‘startup’ to ‘dynamic’ in the latter respect.
As well as ICT systems requiring more security, people also need further education to understand the risks around their identity data. Okunoye explained how anyone anywhere in the world can be affected, especially where centralization without tokenization is used.
Derived Digital Identity, an identity profile gleaned from metadata sifted from social media, is another peril for individuals and groups, according to Oscar Okwero from the Centre for Intellectual Property and Information Technology Law (CIPIT) in Kenya.
The ‘digital exhaust’ that internet users leave behind from social media use is packaged up and made available for research purposes via APIs, according to Okwero. Big data tools and AI can develop models to create ‘digital publics’ – groups determined by interests, geography, race, religion.
“Depending how granular your AI model goes, this could be used to target these very digital publics for nefarious uses,” said Okwero, adding the publics are “used by government and non-government threat actors to target or essentially spread misinformation when necessary and some attempts to even compromise access to information.”
The operations undertaken by Cambridge Analytica against the U.S. electorate ahead of the 2016 presidential election are a clear example of what is possible, warns Okwero. It is controlled by the creators of the AI and its existence is only known of by these creators.
He believes the first control on Derived Digital Identities should be on how the data is released for research purposes as the granularity of the data could be managed. The situation could become dire, he warned, if social media platforms were to start capturing user biometrics.
The use of digital publics and derived identity has so much potential danger that “the effects are to the degree of warfare” but without the controls of conventional war, said Okwero.
“Single source of failure”
Unique identifying numbers (UINs) were a common concern among the speakers, with the “single source of truth” strapline twisted to reflect the privacy abuses faced by some in the countries where it operates. This is the approach present in identity systems around the world where an individual has one identifying number which follows them across every database, such as the Huduma Namba in Kenya.
Dr. Edgar Whitley, associate professor at LSE, explained how it is an easy sell for politicians and Jonathan Marskell, Senior Program Officer ID4D, World Bank, explained how the demand for a single number has grown during COVID as governments have sought to link the various records on a person such as social security and health.
Yet the approach leaves individuals highly vulnerable to abuse without tokenization being involved. Marskell recommended the risk of all data on a person being easily found out could be mitigated with tokenization even if it is only broken down to general sectors such as health and finance. He also noted how the Philippines’ PhilSys has both front-end tokens on the PhilID cards and a back-end token for databases.
Government as the biggest threat to privacy
“Government is the biggest threat to digital data anywhere around the world,” said Solomon Okedara, Digital Rights Lawyers Initiative. He described how social media platforms receive thousands of requests per year from national law enforcement agencies, which use national security as a reason or pretense to delve into users’ profiles.
“What is national security? All a government needs to do to violate a person’s right to privacy is write a letter and cite national security,” said Okedara, who explained a three-part test devised in order for a request to be made: it has to be based in law (not simply a letter from an agency chief) that is clear to the people; it has to be in pursuit of a legitimate aim and it has to be proportionate.
Teki A. Falconer from the Africa Digital Rights Hub stated that African countries have a good track record of using the courts system and that for identity data protection the court system should be used for oversight. She said this is not because data privacy laws do not exist, but because they are not adequately enforced.
Solutions for fragile environments
Countries must choose their own digital sovereignty and manage their “digital public goods” said Dr. Emrys Schoemaker of Caribou Digital. While fragile environments may be particularly sensitive areas for identity systems and vulnerabilities, breaches in Finland and Argentina show that they can happen anywhere.
“We shouldn’t kid ourselves that just because it’s an American or European company it’s necessarily rights-protecting, surveillance-protecting,” said Dr. Shoemaker.
“Technology is fragile as democracy is fragile. So if we introduce an element of fragility into democratic institutions, maybe we are making them more fragile,” said Dr. José Arraiza, of the UNDP and OHCHR.
Arraiza suggested that the international community should have been more pessimistic in Myanmar when the discriminatory citizenship law was drawn up in 1982. Arraiza and Schoemaker call for stronger risk assessments of the identity ecosystems and deeper assessments into the political situation of a region before external actors attempt to bring in an identity system.
Sir Mark Lowcock, former UN Under-Secretary-General noted how the data involved with identity “is very vulnerable to malign manipulation which can lead to the exploitation, the subjugation and the repression of populations” and that there must be a balance between the opportunity and threat of digital identity in fragile environments.
Overall, for the data related to identity, Sir Mark is more optimistic than pessimistic “because on the whole, data empowers.”