What kind of ID system should be implemented?

• Has there been an examination of whether a digital ID system is strictly necessary (especially if a less invasive, non-digital or paper-based ID is a viable option to achieve the same stated aims)?
• Does it aim to be foundational, or one of multiple functional IDs?
• Does it aim to serve as legal identification for all citizens and residents throughout their lifetime?
• Does it aim to establish uniqueness within the population?

A “legal” identity should not automatically translate into a “digital” identity without sufficient examination into whether it is strictly necessary to serve its stated purposes. There is a tendency to push digital ID as an immediate solution to provide a legal identity to undocumented populations and enable their recognition by the State. Here, we must briefly delve into the quantum of data collected, and the resulting harms that could arise. A legal identity is an officially recognised form of documentation that certifies one’s identity and usually requires only basic demographic information such as name and date of birth, sex, and country of birth or residence. A digital ID, in addition to this information, usually entails the collection of further categories of sensitive information in addition to biometric data (usually fingerprints and iris scans at minimum). The quantum of data collected about an individual could lead to profiling and surveillance, and the use of biometric information introduces additional security concerns (especially since biometrics, once compromised, cannot be changed or replaced). Under these circumstances, one must examine whether a digital ID system would better serve the need for providing legal identity over traditional or existing ID systems that can instead be improved to better serve these needs.

What is the intended purpose of the ID system?

• Does it intend to act as an authoritative source of basic identity information? Does it serve as a registry or a repository of data?
• Does it intend to provide authentication credentials for other services?

Based on the objectives the ID is meant to serve, a broad purpose must be allotted to the ID system, that will in turn impact key choices around its model, features and identity credentials. The determination of this purpose is also necessary to identify what data to collect from users, and therefore the privacy harms and risks posed by the system.

If the intended objective is for the ID system to serve as legal identity, then it typically follows a largely centralised model, with the government as the identity provider and with minimal involvement of the private sector in verification or authentication of the identity. Several developing countries such as India, Nigeria and Kenya have created ID systems with the main goal of providing legal identity to their residents. In India, the Aadhaar system was intended to provide a reliable identity to address problems of fraud and leakages in its welfare delivery system, and is now used pan-India as an authoritative source of identity for most Aadhaar holders. The need for a biometric digital identity was attributed to the reliability and cost-effectiveness it allows, together with the ability to deliver online services such as banking and cash subsidy deposits, amongst others.

This may be a useful purpose when there is a lack of legal identity documentation, but countries should not so easily substitute the need for a legal identity with a digital identity. This is primarily because the privacy and surveillance risk created through a digital ID system such as this is far wider than that of a traditional legal identity model. Additionally, even when the main goal is that of providing reliable legal identity to the excluded population, often it is also intended as means to access services online using the authentication offered by the ID (otherwise the need for a digital ID must be reconsidered). While it may serve a wider purpose of allowing online/remote authentication as well, there is a big cost associated with combining the purposes of legal identification and service delivery (when the State is the provider and manager of the ID) which is the case when it serves as legal identity. The access to a large body of identity information along with continuously growing data about their activities allows for extensive State surveillance. Additionally, it creates a substantial power imbalance, as the ID provider now has the means to exclude the ID holder from key services by being in control of their ID.

As a registry of information: Estonia had a population registry and an identity documents database before it introduced its digital ID system. This ID served as a means to link the information present in various databases, and give easy and safe authorization to reuse such data so that Estonian residents need not repeatedly share information they have already divulged. Improving the ease of doing business, in Estonia as well as with the rest of the EU, was the motive that initially influenced the Estonian system. As a result, its intended purpose was to act as a data registry, and to provide reliable identity credentials (for electronic signatures). The X-road interoperability platform can also be traced back to this purpose; by linking the public and private sector e-information systems, it allows seamless communication between data systems and instant information exchanges. Similarly this is why the ID is available not only to citizens and residents, but even e-residents of Estonia.

To serve as authentication attributes: In Canada, the digital ID system was intended to create an interlinked identity management system that could be easily used to access both public and private services. This is achieved through a federated system where citizens can choose from a disparate set of identity providers to create attributes. This ID system is governed largely through standards, such that private organizations that are certified to meet such standards can be ID providers. A key difference here from the other systems seen above, is that use of this digital ID is only optional, with an alternative login method remaining available for citizens.

What should be the ID credential?

• What are the authentication factors assigned to the digital ID?
• Have authentication factors been determined keeping in mind potential exclusions due to inability to authenticate one’s identity because of infrastructural and other factors, such as lack of internet connectivity or viable fingerprints?

An identity credential is a document, object, or data structure that can digitally affirm the identity of an individual through some method of authentication in an identity system. They typically rely on six kinds of factors to authenticate: knowledge, possession, inherence, location, behavioral, multi-modal and multi-factor.¹

Choosing the identity credential for an ID system impacts much of the functionality and use of the ID, as it can determine the level of assurance it provides to transactions, the privacy and exclusionary risk it introduces, and is the key factor in the system with which users interact. When considered at the scale of a national ID program, it also plays a large role in the cost of implementing the ID system.

Some credentials that can be adopted in an ID system are listed below:

Static Passwords: Passwords can be static passwords, passphrases, one-time passwords, and dynamic passwords. Static passwords are reusable and may or may not expire. They are usually generated by the user, and for security purposes work best when combined with another form of authentication. Static password systems with unencrypted transmission are very vulnerable to malicious actors, and can be accessed through eavesdropping, dictionary attacks, social engineering attacks and phishing.

One Time Password (OTP): An OTP is a dynamic password that remains valid for a single authentication session. This password expires once an individual has authenticated themself, or if the allotted time elapses. OTP authentication requires access to something that an individual possesses, such as an email address or a mobile phone, and optionally something only that individual knows or has access to, such as a PIN. OTPs are considered easy to use, and compatible with a wide range of devices such as mobile phones, computers and smart tokens. They can be executed through SMS or PC-based software, and can be used as both standalone authentication or as part of multifactor authentication (which is more secure). Multi-factor authentication will additionally use another form of authentication such as biometrics, PIN or contextual data. Since OTPs are easy to use and have minimal additional requirements, they are highly scalable as well as easy to adopt. They have also been widely in use for over a decade.

However, the technology provides multiple points of attack - for instance, cloning a SIM could provide someone else with illegal access to a live OTP (and consequently enable identity fraud).²

OTP via Mobile App: Mobile authentication apps mitigate the security risks of static OTPs by using either HMAC-based OTPs (HOTPs) or time-based OTPs (TOTPs). HMAC stands for “hash message authentication code”, and HOTPs are utilised in token-based authentication. They are not time-based, and instead use a secret key and a counter. Each attempt to authenticate the counter on the token generates a new OTP. On the other hand, TOTPs are temporary and do not use a counter. Instead, the time is synchronised on both the user and the resource’s end through a network time protocol. Popular mobile authentication apps use TOTPs enabling two-factor authentication. These apps are scalable and easy to adopt and use, as well as less vulnerable to circumvention by malicious actors. Two-factor authentication with biometric validation of OTP would solve the issue of stealing a token in TOTP authentication. However, app-based OTP mechanisms require individuals to possess a smartphone for authentication.

Non-electronic card: These are usually plastic cards that contain basic demographic information. They can also have a photograph, allowing them to be used as photo identity proof. Non-electronic cards used in identity systems can also contain a unique identification number linked to records in a database in order to validate identity. Barcodes and QR codes on non-electronic cards can automate the process of data-capturing and reduce errors.
Non-electronic cards provide the simplest method of identity authentication. They also have a high level of interoperability with other technologies. They are usually more affordable than other methods of authentication since they are easy to implement and do not usually require additional technology (except for barcode or QR code scanners in some instances). These factors contribute to ease of adoption, since a high level of technological literacy is not required to use them.

However, these cards pose issues of security and scalability. They do not possess electronic security features, and anyone in possession of a card can use it in the absence of biometric validation. They are not an ideal means of local biometric authentication since any biometric template encoded on the card is either not encrypted, or in case of encryption requires keys that must be distributed and secured.³

Contact smart card: These cards are embedded with a microchip and processing unit which work with a card reader through physical contact. Card readers contain a processor, memory and a cryptographic controller and provide high processing speeds and security. These have seen wide country adoption, and are used to access a wide array of services.
The cards allow online and offline transactions, and attempt to secure communication through built-in hashing, digital signatures, and encryption. They are versatile across purposes and scalable as they are capable of storing and transmitting increasingly large volumes of data. Other applications can be added to the card, and they can be also used as multi-application credentials to allow physical access to various facilities.

However, these cards require a card reader in order to function, and retrieving information from them is relatively slow. While they are relatively cheaper than contactless smart cards, they can still entail high overall costs. Security issues may arise by guessing or observing the PIN or stealing biometric credentials required for authentication.⁴

Contactless smart card: These have the same features as contact smart cards with an additional radio frequency (RF) transceiver and antenna powered by electromagnetic waves emitted by the card reader. Contactless cards share similar dimensions and processor options as contact cards, but have slower data transmission rates. Documents such as electronic passports can also act as contactless cards.⁵ The identity can be authenticated and verified through a password or a PIN, but this feature can also be circumvented. Cryptography implemented through an integrated circuit chip can also protect user and application information. Contactless cards are being increasingly adopted, and can be adapted for various uses because of their ability to store increasing amounts of data and perform cryptographic computations.

Contactless cards can also be expensive, making them out of reach to low-income communities. They are also subject to the same RFID tracking vulnerabilities as non-smart RFID cards.⁶

Non-smart RFID cards are a form of contactless cards that use radio frequency identification (RFID) to process the information in RFID tags. Unlike active RFID, passive RFID does not have an internal power source, and is powered by the electromagnetic energy transmitted by an RFID reader.⁷ Depending on their technological specifications, non-smart RFID cards can operate at various distances. They consist of an embedded RFID tag which has a microchip that has restricted computational ability and memory, as well as an antenna. Passive RFID tags work in conjunction with a reader, and the information transmitted does not typically include personally identifiable information. To prevent unauthorised access, contactless cards should ideally be stored in an RF-blocking sleeve.

These long-range cards offer the advantage of allowing quick and efficient identification, and do not require the card to be in the line of sight of the card reader. They do not contain personally-identifiable information (PII), and also have a serial number that limits access by authorised users to information from a secured database.

However when tags are not shielded, they could be read by both authorised and unauthorised individuals and rogue RFID readers. This raises privacy, and surveillance, and security concerns, and individuals will not know that their information has been compromised. Overall, this is a baseline technology that requires relatively low investment to implement, but is more expensive than barcode stickers and readers (which could be a point of comparative disadvantage and an obstacle in developing countries). Scalability issues also arise because they store limited amounts of data and lack sufficient processing power.

Biometrics: When biometrics used in identification are assigned the nature of an ID credential, they usually involve matching the person’s biometrics against the stored biometrics in the ID system collected during the process of Identification. Biometric technologies involve a risk of both false positives and false negatives, particularly in large populations. Biometric factors are immutable and, in most cases, visible in the public domain. This makes them impossible to change in case of breach and are susceptible to forgery.

Biometric system on card (BSoC): BSoC technology involves a smart card with a biometric sensor and matcher. After a biometric sample is captured by the sensor, its biometric features are extracted by the processor and verified against the enrolled feature set. All data remains on the card.

BSoC provides more secure authentication, since it is only performed in the presence of the cardholder and this technology is fairly resistant to circumvention. Only authentication data (and not PII) is transmitted. Since the card does not require biometric fingerprint information to be transmitted to a central server, this technology is fairly scalable. It does not require external biometric fingerprint readers which can be expensive, however this technology is more expensive than standard smart cards. While authentication accuracy is moderate, matching speed is high. If mishandled, the performance of the cards may get affected by wear and tear if mishandled.⁸

When determining the selection of an ID artifact, ID providers should take into account the following factors:

Level of technological literacy of targeted individuals, and quality of access to internet and technological infrastructures: For instance, in India, the implementation of Aadhaar has lead to a large-scale exclusions through authentication failures caused by poor internet connectivity⁹ and lack of proper training of operators.¹⁰

Uses of the ID: The choice of ID artifact and authentication-credential should be secure and support the proper exercise and enjoyment of the individual's rights.

Risks of biometric factors: Opting for biometric factors should be justifiable in terms of proportionality since biometrics create serious privacy and security risks, and may be a violation of privacy and other fundamental human rights.

How should verification be done?

• What are the attributes and documentation required to verify a user’s identity?
• In the absence of required documentation to establish identity, can a user’s identity be vouched for by a reliable person?
• Is identity proofing based on government sources such as existing civil registration systems/ legacy identification systems?
• Does identity proofing involve deduplication based on biometric or biographic data?

During the registration phase of a digital ID system, an applicant goes through the process of recording their attributes (identity claim) and verifying their data (identity proof). This verification process forms an important part of the ID system, and is often determinative of both the trustworthiness of the final identity credentials, as well as the inclusivity of the ID system. This also presents a trade-off: a process that requires comprehensive documentation or identity evidence to verify an applicant’s identity might ensure reliability of the ID, but may make it less accessible to applicants who do not have these required documents or are otherwise unable to complete such a robust vetting process. It could also substantially increase the costs for the implementing country.

Typically, credentials and documents that have already been issued are used to demonstrate attributes for this stage, as prescribed by the identifying entity. This can follow several different models:

Civil Registration and Vital Statistics (CRVS) Systems: Here, an applicant’s identity attributes are verified by comparing it to supporting documents such as birth certificates, marriage certificates, passports, driving licenses, and death certificates. This might also involve checking the authenticity and accuracy of these documents, and that the applicant is the true owner of the claimed identity and evidence.

Vouching: In some countries, such as India and Nigeria, the verification process also allows vouching of an applicant’s identity by certain individuals (such as designated ‘introducers’ in India) when the applicant does not possess the required identity documents. This is particularly for excluded populations that do not possess any legal identity, and is intended to minimize the inevitable exclusions that arise from insisting on specific identity documents.

Credit reference agencies: These agencies produce scores of ‘credit-worthiness’ of individuals based on an analysis of their credit histories, personal information, and other factors. This score may legally be provided to various identifying entities (employers, lenders, etc.), and is widely used in countries where banking is accessible. This, among others, is used by the UK Verify service while enrolling users. It is considered fairly accurate.

Other existing databases: The use of other databases relies on the pre-existence of trustworthy documentation which can be utilised for verification. For instance, in Estonia, the Population Register containing personal information such as educational and marital records is used for verification.

Police verification: Law enforcement authorities such as police and border authorities may oversee or act as an additional step to conduct verification.

Choosing the appropriate system of verification requires consideration of many factors, but would depend most on the intended purpose of the system (and therefore the level of assurance it needs to achieve) and the unique needs and particularities of the local population. Factors to consider should include:

Costs involved: The use of an existing and reliable database to conduct verification can reduce the costs involved in performing verification through other means. It may also reduce the visits that an applicant has to make to a centre for physical checks, which in itself can act as an obstacle to digital ID adoption. For instance, in the UK Verify registration process, all the steps of verification happen online, with the ID provider checking the applicant’s identity against certain recognised databases.

Privacy and surveillance: On the other hand, the use of an existing identity database to generate a digital identity may increase risks of privacy and digital surveillance, particularly when carried out through seeding. The ID provider must also be wary of the additional privacy risks involved in using private actors or databases managed by private actors in the performance of this function, as it could lead to misuse of sensitive data (such as one prominent instance of an enrollment centre leaking the personal information of a famous cricketer).¹¹

Exclusion and discrimination: Many exclusionary effects of digital ID arise at this stage, as applicants can be denied an ID dude to lack of documentation, errors in the verification system, or a difficult registration process that is not well adapted to the needs of the population. Sometimes this can also be discriminatory, when it affects a particular community or group that faces special challenges in obtaining these IDs. In Kenya, border communities such as the Nubian community have to undergo a special vetting process that makes it difficult to acquire basic identity documents. Since the Kenyan digital ID requires these documents to verify identity attributes, members of these communities are more likely to be excluded from obtaining these IDs.

A flexible verification policy that allows different attributes, uses diverse methods and/or infrastructure, and accounting for exceptional situations, can help mitigate these risks. The use of vouchers in India and Nigeria, where many persons do not have identity documents or the use of non-government databases such as those of credit agencies and mobile phone providers in UK for persons who do not have government documents¹² are good practices to address exclusionary risks.

Exclusion can also present as the costs, in both time and money, and it takes to obtain a digital ID. In Nigeria, the verification process involves 3 visits to an enrolment (or other) centres by an applicant; this may exclude that part of the population that are unable to afford such costs. Thus, a process that requires minimal physical presence (or can be conducted online if existing infrastructure allows for it), similar to ones adopted by the UK and Canada for their digital ID systems, should be prioritised.

Deduplication and seeding: Where a country intends to only issue unique identities, the verification process often involves a deduplication of the identity information provided by the applicant. In countries with strong civil registration and vital statistics (CRVS) systems, this is often done by relying on existing databases. This can involve the process of seeding, where identity records in an existing database are mapped with those in another database, typically through a unique identifier. However, in other systems, where robust CRVS databases may not exist, other verification strategies have been employed, such as deduplication on the basis of biometrics or other demographic information. For instance, the Aadhaar system in India conducts de-duplication by comparing an applicant’s demographic and biometric information, collected during the process of enrolment, with records in the UIDAI database to verify if the resident is already in the database or not.¹³ This aims to ensure that only one Aadhaar number is generated per individual in the database.

Who is eligible?

• Is the coverage of the digital ID system intended to be universal or limited in its scope?

One of the central questions of national Identity Systems is deciding who should enrol and use the Identity System (i.e. eligibility). The choices for the who question are groups of either one or both of:

1. residents, non-residents;
2. citizens, aliens;
3. adults, minors.

In the initial stages, uses and aims of a national Identity System are typical considerations in deciding eligibility. But when ID schemes bring new aims and uses into their fold, the nexus between eligibility and the (new) uses and aims gets diluted. The cost of such an approach is high — poor choices in eligibility criteria risks the exclusion of marginalised groups including refugees, homeless people, and migrants from rightful access to entitlements and services.
Further, on the choice between residence, identity, and citizenship, it is not unusual for countries to revisit questions of citizenship and processes for determining it. Making citizenship as the sole eligibility criteria ignores such possibilities.

How should one think about interoperability?

• Does the ID system allow or enable communication between different identity databases (domestic and international)?
• Is the digital ID mutually recognised with that of other countries?
• Can these identity databases communicate and exchange information in a timely and low-cost manner?
• Does the ID system have sufficient privacy and security safeguards to regulate these information exchanges and prevent data theft, fraud, or violation of rights?

An interoperable system is one whose interfaces are understood to work with other products or systems, present or future, without restrictions. Making a digital ID system interoperable (either within the system or with other systems) has several advantages, including:

Cost: For the ID provider, the cost of adding new components or services to the system is reduced if the existing system can interoperate. By making it interoperable with an existing CRVS or identification system, it can also increase the accuracy and reliability of the system. For instance, the Aadhaar system in India was built on an open standards interoperable platform, to allow easy scalability and preclude vendor lock-in.

Utility: The ability of a foundational ID system to interoperate with other services is beneficial for both industry and individual citizens. For the former, it lowers the cost of verifying identities or collecting data, and the assurance provided by digital IDs are typically higher than previous paper based ones. The e-KYC functionality of the Aadhaar system, employed by most banks, is an example of this. For citizens, a digital ID system linked to several other services increases convenience and ease of access. The Estonian ID system has made its ID system interoperable with various databases, to help users make available the data they need when accessing a service using their e-ID.

However, these benefits come at a high cost. Allowing the linkage of the ID system to other databases, especially when these are private/commercial services, risks the exposure and security of personal identity information, with the potential for commodification of personal data. Even in instances of interoperability only between government or public services, it enables multiple facets of an ID holder’s daily life to be connected to one identifier, thereby building a deep and extensive profile of the ID holder with far-reaching consequences for surveillance.

In building a system such as this, the European Interoperability Framework¹⁴ suggests four interoperability layers that need to be defined:

1. Legal interoperability: Legal, policy, and regulatory frameworks define the scope of interoperability, particularly with regard to data exchange and requirements for privacy and data protection.
2. Organizational interoperability: For inter-organizational interoperability, federation, or mutual recognition of ID systems, organizations must define trust frameworks and process standards around the identity lifecycle (e.g., the eIDAS standards).
3. Semantic interoperability: To ensure that the meaning of exchanged data and information is consistent, systems must adopt the same data standards or construct data dictionaries.
4. Technical interoperability: To enable machine-to-machine communication, systems must adopt the same technology standards for software, physical hardware components, and systems and platforms.

Interoperability in an ID system can be looked at from different perspectives:

Subsystem interoperability: This ensures that identity databases function as efficiently as possible, as they are able to communicate with each other easily and have timely exchanges of data. This includes, for example, interoperability between fingerprints captured with a scanner device and the deduplication engine, interoperability between smartcards and readers, interoperability of biometric formats captured during registration with those captured during authentication, or interoperability between images captured by devices from different vendors. It is also an effective cost-managing measure, particularly in the long term: by having interoperable devices, software, and hardware from different vendors, identity providers can avoid vendor lock-in and allow greater choice to users.

System interoperability: Interoperability of the ID system with other domestic and international identity databases.

1. With CRVS systems: For countries with a functioning CRVS, identity databases that are built to be interoperable with it are enhanced in terms of cost, accuracy, and inclusion when keeping identity information. Amongst other things, this can perform the following functions:

1. Verification of identity information: During the registration process in Estonia, an applicant’s submitted biometrics and identity documents are checked against the Population Registry and Identity Documents Database to check their authenticity and accuracy before issuing their ID.
2. Updating recording identity information: This comes into play in cases of death, name change for instance, since these are likely to be recorded in the CRVS.
3. Linking ID creation to birth registration: This could include, for example, the generation of a unique identity number for a newborn by the ID system, following a notification (through a direct connection or open APIs) of a child’s birth. In some cases, this UIN could then be communicated back to the civil register. By seamlessly creating a digital ID from birth during the birth registration, this process can help ensure the inclusion of people of all ages in the ID system, increase the consistency of identities over time, and help incentivise birth registration.

However, it is important to note that the use of CRVS systems, especially where they are not well developed, could exacerbate exclusions. To ensure inclusion of the entire population, states are urged to consider alternative means of identification to address those who have been left out of CRVS infrastructure.

2. With other databases: The Estonian ID system is built to be interoperable with other public and private databases, with the ultimate goal of allowing easy access to personal information such that an eID holder need never share the same information twice. It achieves this through an interoperability service, X-Road, which links each separate public and private sector e-information system and enables them to communicate seamlessly with each other without human intervention.¹⁵ In India, the India Stack comprises a family of APIs, open standards, and infrastructure components that allow a user in India to demand services digitally. Here, the Aadhaar ID system sits as the “presenceless layer”, serving as a foundation for many services that are built on top of it, such that these can be delivered online, without the need for the physical presence or paper documentation of the ID holder. Some services included here are Digilocker (for issuance and verification of documents and certificates), eSign (to electronically sign documents), eKYC ( to perform essential Know Your Customer verification digitally) and UPI (for sending and receiving money or making payments through bank accounts).

3. With international databases: ID systems can be mutually recognisable with other countries so that digital ID holders in one country can access services in the other, and be able to conduct secure electronic transactions. There are many uses for this, ranging from serving as a travel document, to accessing banking services in other countries. The most common way of implementing this is to use technical and other standards along with a legal/trust framework.¹⁶ For instance, the eIDAS regulation in the EU creates a regulatory environment comprising standards and governance mechanisms for cross-border recognition and authentication of eIDs. This ensures that people and businesses can use their national electronic identification schemes (eIDs) to access public services in other EU countries where eIDs are available.¹⁷

The risks introduced by making identity systems interoperable deserve reiteration here: they allow for sweeping surveillance, permit the system to be used for new uses (that were not originally consented to) and encourage the collection, sharing and commercialization of personal information. ID providers are encouraged to carefully consider the need for, and degree of, interoperability, and adopt a risk-based approach in implementing it. Additionally, to mitigate the risks inherently involved in this, ID providers must use privacy by design mechanisms, set fixed purposes of the ID system to avoid mission creep, restrict the actors that can access personal data, and have a robust oversight and accountability framework.

What makes the ID open/closed?

• Are enrollment and use of the digital ID mandatory or voluntary?
• If enrollment and use of the ID are mandatory, has the identity provider identified and mitigated all legal, procedural and social factors that may prevent any person or group of persons from enrolling and using the ID?
• If additional fees are charged for additional services associated with the ID, are these rates reasonable and transparent?
• Has the identity provider made special provisions to minimise or waive costs of obtaining and using the ID for poor or vulnerable persons?
• Has the identity provider made efforts to remove or mitigate all indirect costs associated with obtaining a digital ID, such as travel or administrative costs?
• Has the identity system been designed with sufficient legal, procedural and technological safeguards to ensure that the identity system and identity data is not used to target, persecute or discriminate against any persons/ groups or persons?
• Does the identity system ensure last-mile access through the provision of online and offline infrastructure in remote areas?

The lived experiences of digital ID users, particularly in the global south, have been marked by various forms of exclusion. Many forms of exclusion tend to arise from the implementation of digital ID in countries that lack the required digital infrastructure or have low levels of internet adoption, bureaucratic or administrative processes of identification, social barriers, and making digital ID either directly or indirectly mandatory to access benefits and services in combination with these factors. In the absence of mitigation measures, these risks tend to amplify existing socio-economic inequalities and disproportionately affect already marginalised communities such as refugees, immigrants, women, elderly people, transpersons, sexual, cultural and religious minorities, economically disadvantaged persons and residents of rural or remote areas.

For instance, in addition to social barriers such as not being allowed to leave the house or have their own ID cards, many women have faced obstacles in enrollment when ID systems require facial capture, consequently excluding women who may not wish to expose their faces for religious or cultural reasons (such as in the case of women being forced to remove their headscarves for Aadhaar registration).¹⁸ Linguistic minorities have often been locked out of these systems due to inaccurate translations of names or other important details by translation software which has resulted in non-matching of identity records. Procedural barriers witnessed in areas with high rates of illiteracy could arise from having less reliable personal data, because those enrolling themselves may have trouble corroborating if their personal information is correct. In India, a large proportion of homeless and transgender persons are unable to enroll for Aadhaar despite multiple attempts to do so. Homeless persons are usually unable to furnish documentation such as proof of residence (which is a mandatory requirement). Transpersons often face bureaucratic obstacles when the gender on their existing IDs does not match with their gender identity or appearance, and are also far more likely to have errors in their recorded gender data.¹⁹

Many countries also lack the basic infrastructural capacity required for successful enrollment and authentication in the digital ID ecosystem due to low internet penetration rates and a lack of stable electricity (among other infrastructural challenges). This is often coupled with tedious administrative or bureaucratic processes, high travel costs for persons travelling from remote locations, fees charged for enrollment, persons with degraded biometrics and incorrect information not being enrolled successfully, and ethnic/ religious minorities being targeted on the basis of sensitive information or deliberately excluded from enrollment. Despite these adverse circumstances, many countries continue to make access to essential benefits and services dependent on identity. Uganda goes a step further to impose criminal and administrative sanctions for failure to register in the system.²⁰

In addition to carrying out an impact assessment that examines exclusion risks before implementation of a digital ID system, it is imperative that countries ensure that digital ID is accompanied by analogue options to avoid or mitigate exclusion risks. This should include measures such as phasing the introduction of such approaches and allowing the use of alternative means of identification in case of failure of the digital ID.²¹ Simultaneously, governments must ramp up infrastructural capacity to ensure that exclusions do not arise from failure of the system due to internet or other infrastructural constraints.

How to ensure inclusivity and trust?

• Is the identity system governed by a robust legal and regulatory framework?
• Does the ID system contain sufficient safeguards to ensure that the ID provider can be trusted to manage and protect user data, and held accountable if not?
• Is the identity information collected and stored by the digital ID accurate and safe from fraud and tampering?
• Has the ID provider ensured high coverage of the ID by making it accessible to every section of the population, including traditionally underserved areas?
• Are individuals able to correct/ update their personal information easily and at no cost, incentivising them to keep their personal information up-to-date?
• Have proofing requirements for updates by individuals been determined keeping in mind the potential disincentives from updating and potential exclusions that may arise from very strict requirements?
• Does the identity provider effectively engage with the public and relying parties to correct errors and address grievances?
• Does the identity provider effectively engage with civil society organisations for critical feedback on the identity system?
• Has the identity system incorporated privacy and security by design at every stage of the project?
• Is the digital ID recognised as authoritative proof of identity by the government?
• Has the identity provider actively worked to ensure user literacy about the ID, and minimise potential information asymmetries?

Digital ID systems involve the collection and storage of vast swathes of sensitive personal data that infringe on the privacy of individuals, and are inherently restrictive to the fundamental rights of privacy and free speech. Any such restriction on these rights must therefore be legal, backed by a legitimate aim, narrowly tailored in scope and application, accountable, and explicitly prevent mission creep. The implementation of such a system must only be carried out within a rule of law framework that exists to govern the use of digital ID and ensure sufficient deliberation before a digital ID system is implemented for both public and private actors. Moreover, it is important that these laws must be accessible and foreseeable to the public. This is an issue highlighted in Lesotho, where the governing Act is written only in English (which is spoken by a small minority in the country). Moreover, no digital copy of the Act is available, and a copy can only be bought at one official government printing office. The high travel costs involved in trying to obtain a copy make this even more inaccessible to the general public.²²

The legislative framework within which such a system operates must consist of both a digital ID and data protection law deliberated upon and enacted by parliament, and should not be a result of excessive delegation through an executive order. This law must also have a clearly defined and legitimate aim that clearly outlines and limits the purposes for which the digital ID is to be used, and the public and private actors that operate within the system and have access to its databases. It has been observed that digital ID systems in many global south countries allow access to private parties with few controls, either directly or through the respective government entity. In Tanzania, for instance, the ID authority (NIDA) gives both public and private entities access to sensitive data through data sharing agreements. However, these agreements are not available in the public domain and it is unclear whether private entities can access the entire database or can only use it for verification.²³ To further ensure accountability, such a system must have adequate and accessible grievance redressal mechanisms to enable users to seek justice in case of misuse of their data, and independent regulators and rigorous systems to ensure transparency hold all public and private actors accountable. While most countries have some form of redressal mechanism, it is not always possible for the user to directly approach the relevant authority if the law does not provide for it, the process is onerous, or if they are not aware of their rights. Redressal mechanisms are also essential in case a user’s registration is suspended or withdrawn, as are provided in Kenya, Tanzania and Uganda.²⁴

The privacy violations that can arise through mandatory collection of sensitive personal data, risk of surveillance and profiling, or the lack of robust access control mechanisms require that there must be a determination of whether they are necessary and proportionate to achieve the legitimate aim. Data minimisation should be enforced by placing strict limitations on what categories of data can be collected, how it is stored and for how long it is retained. The law must also clearly delineate the public and private actors who have access to this data, and how it may or may not be used. Any potential harms (such as exclusion, privacy and discriminatory harms) that may arise must be accounted for through both ex-ante and ex-post preventative and mitigation measures to minimise them as much as possible. This approach to privacy requires that the system be examined against tangible risks to individuals, allowing the administrator to prioritise risks in order of severity and respond accordingly. The risk level arising out of a digital ID is measured in terms of severity and likelihood. These harms must then be proportionately addressed by law. Threats to the ID system can be analysed based on its uses, with a wider number of uses resulting in a higher level of risk. If the risks arising from the system are demonstrably high, mechanisms to restrict use must be employed until mitigating factors are introduced. Mitigating strategies would include notifications in case of breach, having a tested business continuity plan and increased capacity building. The choice of strategies depends on the design of the ID system and its reliance on private entities for different functions.

Finally, it is critical that the identity provider and relevant authorities actively engage with proposed ID holders and civil society through every stage of the implementation process. This should begin from incorporating feedback from civil society in the planning stage itself, and should continue to ensuring that ID holders are educated about the implications of the planned ID, how to access their information and correct it if necessary, and their right to approach the relevant authority in case of grievances such as misuse of their data or failure of the ID. The cost of obtaining an ID should be free or as low as possible, and ID holders should not be charged for seeking to access or correct their information (as this will act as a disincentive and result in an inaccurate and unreliable identity database).

Notes