Why the Huduma Namba ruling matters for the future of digital ID, and not just in Kenya

PI explains why the judgement of the Kenyan High Court's judgement on the Huduma Namba matters globally.

Key points
  • The Huduma Numba case extends far beyond Kenya, as it raises important issues for the rollout of digital identity systems around the world.
  • The successes and lessons learned of the Huduma Namba challenge will inform similar challenges and debates happening elsewhere in the world.
  • The ruling of the court on the Huduma Namba highlights the importance of protecting  the security of biometric data and preventing exclusion.
News & Analysis

On 30 January 2020, Kenya’s High Court handed down its judgment on the validity of the implementation of the National Integrated Identity Management System (NIIMS), known as the Huduma Namba. Privacy International submitted an expert witness testimony in the case. We await the final text of the judgment, but the summaries presented by the judges in Court outline the key findings of the Court. Whilst there is much there that is disappointing, the Court found that the implementation of NIIMS should not continue without further legislation to guarantee the security of biometric data and to ensure the system is not exclusionary.

With the biometric data of almost 40 million Kenyans already collected as part of the roll-out of the system, and with the danger of the system leaving millions without access to vital services, the importance of this case to Kenyans is difficult to overstate.

But the importance of this case extends far beyond Kenya, as it raises important issues for the rollout of digital identity systems around the world. The successes and lessons learned of the Huduma Namba challenge will inform similar challenges and debates happening elsewhere in the world from Uganda, Ireland and the United Kingdom as well as the influence of the digital identity agenda in other sectors including international development and humanitarian sector.

The ruling of the court on the Huduma Namba highlights the importance of protecting  the security of biometric data and preventing exclusion. These are important issues that deserve attention when it comes to identity systems anywhere.

ID and Exclusion

The court found that there was a need for regulation for the Huduma Namba to make sure that it is not exclusionary. While there is a discourse surrounding digital identity that it leads to inclusion, the fears of many in Kenya is that the Huduma Namba would lead to the exclusion from essential services. The challenge by the Nubian Rights Forum reminds us all that behind the system they are people who could be excluded, with millions facing “digitizing discrimination”. The case brings much needed attention to the fact that for the Kenyan Nubian and Somali communities - who already face additional hurdles and scrutiny when establishing their citizenship and applying for identity documents - the introduction of the Huduma Namba would deepen their exclusion.

Privacy International’s work has shown that this theme is relevant across the world. For example, our research in Chile has shown the issues faced with those who do not have access to the ID card. Those without a card, for example many migrants, face the challenge of not being able to access healthcare, open bank accounts, or even get married. They are left without the protections of formal employment, with their vulnerability made worse by the lack of access to identification.

Thus, the challenge to the idea that it is simple to make an ID system “universal”, and that people will be easily able to access identification, is something that we have to challenge across the world.

The risks of biometric data

The other issue raised by the court, that requires further legislation, is the security of the biometric data gathered in the course of the Huduma Namba. With the fingerprints and facial photographs of almost 40 million Kenyans already on the system, these issues are essential and pressing.

Biometric data presents a unique set of concerns. As biometric data can remain relevant for the course of a person’s life, the security of this data is paramount. Biometric data breaches seriously affect individuals in a number of ways, whether identity theft or fraud, financial loss or other damage.

And these breaches do occur. For example, a breach of the US government’s Office of Personnel Management – the agency that handles the security clearances of civilian workers in 2015.

The future of digital identity

The Huduma Namba case is right to highlight the issues surrounding the risks of exclusion, and the risks surrounding biometric data. But there is a need to look deeper at some of the more underlying issues with these systems that lead to these risks in the first place.

We need to begin to look at some of the assumptions behind the push for ‘foundational’ ID like the Huduma §. Why do we need a a single unique universal identifier? Is producing a biometrically deduplicated database really necessary, to prove everyone unique?

This is why the democratic process in the development of an identity system is so important. Identity systems, particularly national identity systems, are often introduced without the firm and rigorous debate that such a major measure deserves. There are countless examples of identity systems pushed through by decree, diktat, or through means that allow less democratic accountability, denying the systems a mandate. We’ve seen this for example, in Argentina, Pakistan and India.

ID projects are large, complex, and expensive enterprises – and increasingly so – which deserve and demand proper interrogation and debate. The same applies to future developments or changes to the ID system. The decision to create an ID scheme from the moment of conception of the very idea must go through a process of an open, inclusive and meaningful consultation.

Conclusion

We shall be continuing to follow the Kenyan case closely. It is essential that the government meaningfully addresses the issues raised by the Court, and that the solutions presented genuinely address the Court’s concerns. Along with our network of partners around the world, we need to begin to address these issues surrounding exclusion and security.

However, we must also not lose sight of the need to challenge the assumptions underlying these types of digital identity, and the powerful global institutions pushing for their introduction. The need to identify yourself should not come with the risk of exclusion, exploitation and surveillance. At the very least, the work of civil society in the Kenyan case has highlighted the risks and challenges of such an identity system - and we should all take notice of how much is at stake.