Understanding Identity Systems Part 3: The Risks of ID
31st January 2019
This is the third part of Understanding Identity Systems. Read Part 1: Why ID?, and Part 2: Discrimination and Identity.
- Biometrics are the physiological and behavioural characteristics of individuals. This could be fingerprints, voice, face, retina and iris patterns, hand geometry, gait or DNA profiles. However, the legal definition of ‘biometrics’ may differ – in some contexts, it may be defined by law, whereas in others it may not have, or only have a vague, legal definition.
- Biometrics used in ID systems are most commonly facial photographs, fingerprints, and iris scans.
- If data like photographs are collected in the enrolment or data collection of an ID scheme, even if it is not immediately used for purposes like facial recognition, the existence of the dataset means that it can be used for such in the future, as in the case of India adding facial recognition to its biometric systems.
- An ID system has to account for biometric failure. Sometimes, biometric systems fail to recognise the biometrics of an individual. This can be a result of issues like the fading of fingerprints (the elderly and manual workers being particularly at risk) or cataracts affecting iris scans.
- The consequences of this can be severe: for example, failing to get access to benefits to which an individual is entitled. There are reports that this has led to starvation deaths in India.
- It is essential that strong, and usable, mechanisms are in place in the case of biometric failure.
Risks of harms from data breaches or leaks
- A large-scale database, like an identity database, can be a tempting target for criminals and others looking to gain access to the system.
- The harms caused by this can include:
- Harms related to data removed from the database
- Harms related to data altered in the database
- Harms related to data or entries added to the database.
Examples of ID breaches
- There are examples of ID systems that have had their security breached:
- A data breach of the South Korean ID system meant that the records of 27 million people - 80% of the population - had their ID details stolen.
- While there are claims that India's the centralised Aadhaar biometric database has never been breached, breaches of systems that have made use of Aadhaar have potentially left over a billion people's data exposed.
- The voter registration database in the Philippines, containing the personal data, passport details, and fingerprints of 70 million registered voters, was compromised in 2016.
The challenges of altering entries in the database
- One of the challenges of an ID database, in whatever form it takes, is how to change and alter the information stored. This is for correcting mistakes, as well as making changes over the course of an individual’s life.
- This is a challenging design challenge. On the one hand, to protect the rights of users, it is important that data can be changed with the minimum of difficulty: for example, for trans people not to be able to easily change their genders and names on a card can be a major source of harm. At the same time, allowing changes to be easily made can be a source of fraud: for example, someone fraudulently changing the contact phone number in a database can be a source of benefits fraud. The complexities of questions like this is one reason why the design of an identity system requires deep consideration and consultation in its design.
- It is also arguable that the nature of an identity database fails to adequately deal with the complexities and nuance of human identity. For example, the format of individual's names can vary greatly, and are often not static - they can change according to circumstances. Even apparently simple categories, like names, can become extremely complex in terms of how a database is designed. For more detail, see Privacy International's work on this topic.
Record keeping and tracking
- The record of how and when the identity of an individual is validated using an identity system is potentially incredibly revealing information. Sometimes referred to as “metadata”, this can give a potentially very intrusive picture of the life and activities of an individual. This can potentially include information like an individual’s location, their interactions with the state (for example, when they are claiming benefits), how and when they access healthcare (including potentially the identities of specialists they may be seeing) and when they log into private services. Watch Privacy International's video on metadata.
- While some data may need to be retained for auditing purposes, it is essential that this is kept to a minimum amount held for the shortest amount of time.
- It is essential to know:
- What data is being stored;
- By whom (for instance, a government agency or third-party provider);
- How long it is kept;
- Who has access.
- Read our Data Protection guide to learn more about the principles behind data protection.
The role of the private sector in providing the ID system
- It’s inevitable that any ID system will involve a third-party provider in some capacity. But it’s important to know which companies are involved, what their role is, what are their obligations and responsibilities, and how are those enforced.
- There is a push towards “vender-neutral” systems – ie, avoiding those that lock the system into a particular provider.
- But this can be done in a way that is only partial. Eg, India – a standards-based approach for some of the tech, but still has some parts (deduplication engine) that are proprietary software.
Infrastructure and Internet connectivity
- Some identity systems rely on factors like an electricity supply, internet connectivity, or mobile networks, to operate – for example, for the operation of biometrics in remote villages.
- It becomes important to consider this issue from the perspective of those parts of the country that have the least reliable access to telecoms infrastructure. Are there any particular groups that would be potentially badly affected by this? If the network, or power source is down, what alternatives are in place?
- Measures designed for offline access to ID also have consequences - it can mean that measures in place to guarantee or give control over information in the online space do not apply to offline access.
Mobile phones and the identity system
- Mobile phones have begun to play a role in identity systems. This can include the use of mobile phones by enrollers. It may also be the case that an ID system has an associated app or ability to view a digital version of an ID document. It can also be the case that the ID is used to login to various digital services, sometimes through an app.
- The use of mobile phones can also create risks. First of all, it is important to note that, even in countries with widespread access to mobile telephony, there are still many people who lack access to a mobile phone. This is often people who are already in marginalised situations, who would further have difficulty getting or using ID.
- It is also important to consider the nature of phones that people are using, and what security concerns might be raised by this – for example, by people using outdated and unsupported operating systems that have security issues. This means that people could access data, or use it for identity fraud.
Destructive political environments
- Any ID system requires long-term thinking. The data, however it is collected or stored, remains relevant and relevant for at least the lifetime of the individuals enrolled – longer, as it may affect family members in cases like citizenship.
- Cases of state’s deletion of data, or biometric data, once collected are very rare. One case was in the UK, when the data collected as part of the initial rollout of an abandoned ID project was destroyed.
- An example of the dangers of identity databases are “Sanctuary Cities” like New York, who provided ID cards to undocumented migrants, in order to allow them to access services in the city. However, the database that was gathered for administrating this system became a threat following the election of Donald Trump, with fears that it would be used to identified undocumented migrants for deportation.
Thinking about the harms to individuals and groups
- Understanding the nature of an ID system, and how it could be used by actors with malicious intent, is an important thought-experiment for the development of an ID system. The potential harms can affect people in a number of ways.
- Harms can befall individuals. If the uses of an ID card are particularly broad, this means that the associated theft, loss, or alteration of ID records can have an impact through many aspects of an individual's life. This means that an individual risks identity theft, for example losing money or suffering a loss to their credit file, or other sources of fraud.
- Harms can also befall groups. IDs can be used for horrific purposes – for example, in the Rwandan genocide of 1994, the ethnicity that was written prominently on Rwandan’s ID cards was a factor used at roadblocks to determine who would be murdered.
- IDs can also be exclusionary. For example, in Privacy International's research in Chile, we showed how the ubiquitous RUT card causes serious issues for migrants.
- One of the main dangers of the implementation of an ID system is that of function creep - that an ID, even if it starts being used for a limited set of purposes, begins to be used more and more.
- This can include the use of ID to link more and more sources of data in the public and private sectors. Examples range from the tragic (the requirement to have an Aadhaar number to get compensation for the Bhopal disaster in India) - to the farcical (the requirement to have an ID in Singapore to get a massage.)
- This type of function creep of an ID system has to be actively combated by law, tech, or policy; otherwise, the use of an ID card will expand beyond the original purpose for which the ID system was set-up.
Read Part 1: Why ID? and Part 2: Discrimination and Identity.
Related learning resources