A call for openness in Digital ID systems

Digital ID systems are increasingly the battlefield where the fight for privacy, security, competition, and social inclusion is playing out, Mozilla writes in a new white paper out today. In our ever more connected world, some form of identity is almost always mediating our interactions online and offline.

From the corporate giants that dominate our online lives using services like Apple ID and Facebook and Google’s login systems to government IDs which are increasingly required to vote, get access to welfare benefits, loans, pay taxes, get on transportation or access medical care.

The white paper surveys the landscape around government digital ID projects and recommends several policy prescriptions and guardrails for these systems.

“The rush by governments and the international development community to deploy digital, and often biometric, identity systems is often leading to mass surveillance and denial of vital government services and benefits,” said Mozilla’s Public Policy Lead for Africa, Alice Munyua and one of the author’s of the paper.

“In designing, implementing, and operating digital ID systems, governments must make a series of technical and policy choices. It is these choices that largely determine if an ID system will be empowering or exploitative and exclusionary.”

“We believe that the concept of openness provides a useful framework to guide and critique these choices and to ensure that identity systems put people first,” continued Mozilla’s Public Policy Lead for Africa, Alice Munyua.

The whitepaper examines and makes recommendations around five elements of openness:

1. Openness as in multiplicity of choices: There should be a multiplicity of choices with which to identify aspects of one’s identity, rather than the imposition of a single and rigid ID system across purposes. The consequences of insisting on a single ID can be dire. In India, for example, there are documented cases of people dying because they did not have an Aadhaar number or their Aadhaar didn’t work.

2. Openness as in decentralisation: When national IDs are mandatory for accessing a range of services, the resulting authentication record can be a powerful tool to profile and track individuals. This centralized log of biometric data and transaction records paint a detailed portrait of the most intimate details of the lives of every person in the system.

In doing so, these systems can dramatically increase the surveillance capabilities of both governments and companies. Moreover, centralization of identity information creates a single point of failure which is ripe for attack by malicious actors. Digital IDs should, therefore, be designed to prevent their use as a tool to amplify government and private surveillance.

3. Openness as in accountability: Legal and technical accountability mechanisms must bind national ID projects. Data protection laws should be in force and with a strong regulator in place before the rollout of any national biometric ID project. National ID systems should also be technically auditable by independent actors to ensure trust and security.

4. Openness as in inclusion: Governments must place equal emphasis on ensuring individuals are not denied essential services simply because they lack that particular ID or because the system didn’t work. Individuals should also have the ability to opt-out of certain uses of their ID. This is particularly vital for those marginalised in society who might feel the most at risk of profiling and will value the ability to restrict the sharing of information across contexts.

5. Openness as in participation: Governments must conduct wide-ranging consultation on the technical, legal, and policy choices involved in the ID systems right from the design stage of the project. Consultation with external experts and affected communities will allow for critical debate over which models are appropriate if any.

This should include transparency in vendor procurement, given the sensitivity of personal data involved.

Mozilla has engaged with governments around the world on the topic of Digital ID, including by filing an affidavit in front of the Constitutional Court of Kenya in a case on the country’s National Integrated Identity Management System (NIIMS).

The Firefox-maker has also been active in data protection debates in five continents.