Digital Identity for Development — and Protection
Emrys Schoemaker argues that the Taliban has once again reminded us that digital identity systems are like all technologies — they are neither good nor bad, but never neutral.
On August 27th, the Taliban boasted of using US digital identity technology to hunt down Afghans who had worked with the international coalition. This poses a huge threat to all Afghans who are recorded in these identification systems, and should be a wake-up call to all those working on digital identity and digital public infrastructure for development.
The Taliban’s claim was made just days before the formal departure of the coalition forces and the Taliban takeover of the Afghan government. In addition to the US military’s Handheld Interagency Identity Detection Equipment (HIIDE, biometrics devices) , the Taliban takeover means they also have access to and control over the digital identification systems and technologies that had been built through international aid support . These include the e-Tazkira, a biometric identity card used by Afghanistan’s National Statistics and Information Authority, which includes fingerprints, iris scans, and photographs, as well as voter registration databases and the Afghan Personnel and Pay System (APPS), used by both the Afghan Ministry of Interior and the Ministry of Defense to pay the national army and police. As a result, many Afghans are “frantically going through phones to delete messages they have sent, music they’ve listened to & pictures they’ve taken,” BBC reporter Sana Safi wrote on Twitter on August 15. For those in official databases, particularly the APPS, user deletion is not an option.
What does this situation mean for Afghanistan, for Afghans, and for the wider international community working on digital identification for development?
For Afghanistan and Afghans, it means that the Taliban have sensitive personally identifiable information that they have said they will use to target those they deem enemies or threats. Of course, these databases are not the only way they might be identified — US officials gave the Taliban names and details of American and Afghan allies to assist in evacuation efforts, while the UK had to rescue families of Afghan embassy staff whose names had been left behind at the embassy. Quite apart from anything else, the evacuation has shown how badly information security has been handled by the coalition — another reason for an expanded immigration offer to all Afghans.
For those working on digital identification for development and more broadly, what are the lessons? For a start, it is a wake-up call to remind us that that development benefits of identification systems, enshrined in the Sustainable Development Goal 16.9 — Right to Legal Identity — should not come at the expense of individual safety. To date, the international development community’s efforts have focused on adoption and inclusion — the fastest and cheapest ways to make everyone visible to the state in order to manage access to rights and entitlements.
The benefits of inclusion in digital identification systems are well known. Identification is key to obtaining legal status, recognition, and associated rights and entitlements. The World Bank notes that without some form of legal identity people are unable to access critical healthcare and social services, enroll in school, open a bank account, obtain a mobile phone, get a job, vote in an election, or register a business in the formal sector — along with other basic services, rights, and opportunities that would empower them to improve their lives. The World Bank also notes that women are disproportionately less likely to have official proof of identity; women, refugees, stateless persons, people with disabilities, and people living in rural and remote areas often face the greatest hurdles to obtaining official IDs.
Digital Identity and Risk
Despite growing calls from a number of organisations for a greater focus on the risks of new digital technologies, the issue of digital identity and protection has not received the same level of attention and access and inclusion, in part because debate is polarised between advocates and critics,. For example, Privacy International have long advocated for greater attention to security ,including on Afghanistan’s biometrics programmes, and Access Now’s campaign on rationales for digital identity have pushed particular security and privacy concerns. At a higher level, initiatives such as the World Bank–hosted Principles on Identification for Sustainable Development and the Omidyar Network–supported Good ID initiative (which Caribou Digital helped initiate) assert a normative approach founded on the belief that digital ID can ‘be good for all.’ However, as analyses of the risks and dangers of digital identitifcation emerge — such as Jacobsen and Steinacker’s in-depth perspective on humanitarian and military biometrics in Afghanistan — concerns about the downsides of these technologies are only going to grow as the contexts in which digital identification systems are deployed increasingly face the threats of climate change, inequality, and conflict, leading to political instability.
Digital identity systems are like all technologies — they are neither good nor bad, but never neutral, and they amplify the power of those that control them. No technology is going to change the intent of actors such as the Taliban to target those they wish to find. In the face of these inevitable political risks, the deployment of digital identification systems needs to get smarter about understanding the political interests and risks that shape the contexts in which identification systems are used — our ID Ecosystem Mapping tool supports risk assessment arising from the deployment of digital identification systems.
Strategies for Protection
But even where political risks are identified, identification systems are still going to be rolled out, so we must start paying more attention to emerging approaches to data management and technologies that might mitigate the misuse of these technologies by bad actors.
For example, we need to instil a greater focus on the ‘data minimisation principle,’ as outlined in the EU’s General Data Protection Regulation (GDPR): the idea that one should only collect and retain that personal data which is necessary, and not collect more information than is needed. This approach contrasts with the South African proposal from earlier this year to collect all sorts of biometric and other data, including from babies.
We also need to move away from centralised data collection approaches, and instead focus on decentralised approaches that place greater control over data in the hands of individuals. For example, there could be a greater emphasis on decentrasiling the storage of sensitive personally identifiable information (PII) through the use of smart cards that store data, rather than dumb cards with centralised data storage — an approach advocated for by the International Committe of the Red Cross. .
We can also learn from efforts to decentralise data storage and control — what some call federated or self-sovereign identification systems. Countries such as Germany, Spain, and the Netherlands are developing digital wallet–based identification systems to hold verified credentials, while the EU’s COVID-19 vaccine passport employs a similar model.
Established technologies such as Zero Knowledge Proofs and emerging innovations such as encrypted hashes of sensitive information can support greater protection over personal data. For example, Mastercard and TrustStamp’s encrypted hash of biometric data makes it almost impossible to identify individuals without Mastercard’s proprietary algorithm ; humanitarian organisations are developing similar technologies.
But while there are scattered, isolated examples of efforts to develop better approaches and innovations to better protect people and their data, there is no established, independent body of knowledge and expertise addressing these issues. There is a need for independent, critical research and advisory services on this critically important topic. There is a wealth of expertise, dispersed around the world in various governments, companies and associations, in niche newsletter groups, and online publications that could usefully contribute to thinking and policy positions, particularly for development donors, to support decision-making and investment that can help advance the benefits of digital identification whilst ensuring that their risks are mitigated.
Emrys Schoemaker, academic and consultant focussed on digital ID, risks and rights.
Another version of this appeared recently in the Guardian.
Image: Jacob Freeze via Flickr (CC BY 2.0)