A project of the Centre for Internet and Society, India
Supported by Omidyar Network India
Together with the Institute of Technology & Society (ITS), Brazil, and the Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya, CIS participated at a side event in RightsCon 2019 held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the Omidyar Network. The event was attended by researchers and advocates from nearly 20 countries.
The event began with an ice breaking game of bingo, where participants discussed one factual question about digital identity systems with another participant and mutually agreed on an answer, and following the same process with as many people in the room, find answers to all the questions supplied to them. Next, Subhashish Bhadra, Principal at Omidyar Network India, moderated a panel discussion on Digital ID systems, and a Q&A session with the panelists. The panelists were Isaac Rutenberg from CIPIT, Fabro Steibel from ITS, and Amber Sinha from CIS. This was followed by a presentation by Thea Anderson, Director, Omidyar Network on Good ID. Finally, participants broke out into three groups to discuss privacy, inclusion, and user control and value. At the event, we also launched this website, Digital Identities Design and Uses, which will feature our work on the appropriate design and use of digital identity for the next two years.
We announced the publication of early drafts for discussion of appropriate uses of digital identity systems, by Institute of Technology & Society (ITS), Brazil, the Centre for Intellectual Property and Information Technology Law (CIPIT), and the Centre for Internet and Society (CIS). The draft framework by CIS takes the form of a set of principles against which a digital identity system may be evaluated. We are working towards developing these principles into a set of best practices that can be used by policymakers when they create and implement digital identity systems, can guide civil society in their examination of such systems, and highlight areas for further research.
Our draft takes a first principle, top down approach that sets out universal principles applicable across different jurisdictions. Over the next two drafts, these principles will be built into best practices and tests, which will draw from, among other things, the legal experience with existing digital identity systems. We will also identify real life uses of digital identity to see how the framework can be applied to them. We are starting with a first principles approach as it is useful to solve complex sets of problems relying only on basic and fundamental principles. To begin with, we hope to reduce our study of digital identity down to its most fundamental and essential parts. This would also diminish the possibility of building on flawed and incorrect information. While following this approach, we are also cognizant of its disadvantages. Universal principles are differently applicable to different contexts, and therefore must be tailored to each country or issue during application. We will look to address some of these concerns as we work on subsequent drafts.
The panel discussion centred largely on the evolution of Digital ID systems in the jurisdictions of Brazil, Kenya, and India, and the lessons and questions that emerge from them. Panelists examined the major issues that had plagued digital identity systems in their countries, and in particular, the privacy threats and the exclusion concerns of marginalised section of society. In a free flowing discussion, participants covered a lot of ground discussing the role played by civil society in addressing the concerns of digital identity, the impact of multilateral institutions such as the World Bank, which are major funders of ID systems, and the need for better accountability mechanisms. Amber Sinha, representing CIS, introduced approaches drawing from existing legal theories and other disciplines, and discussed how the uses of Digital ID systems may be evaluated.
The Q&A session threw up a number of very useful interventions. It was pointed out that the focus of research and policymaking should not just be restricted to how digital identity may be used, but also focus on why it is needed at all. This is a question we also ask in our draft framework, as the need for any technological solution should only arise from specific problems that the technology could solve.
As there is more and more deployment of digital identity, participants highlighted that both research and advocacy must not merely concern themselves with concepts around digital identity in the abstract, but also focus on people’s lived experiences with the technology. The aim should be to design solutions that address people’s problems. Without this careful consideration, it creates the risk of technological solutions driven by a state’s surveillance agenda, or the profit motive of the private sector.
Amba Kak of Mozilla Foundation pointed out that there is a need to investigate what are acceptable risks of identity systems. When commentators analyse the uses of ID and the potential dystopia it may lead to, such efforts should not be seen as alarmist, but legitimate inquiries that need to be made to assess the potential harms of the system. This concern is also addressed in the third leg of our draft framework, which presents a risk based approach to evaluate both the likelihood and severity of potential harms.
The event ended with discussions in three breakout sessions on digital identity looking at the values of privacy, inclusion, and user control and value. Some of the key issues discussed were the problems of inclusion, specifically with respect to disabled people and refugees; the lack of uniform literacy in all issues applicable to ID; and the impacts of ID theft on different people. The group observed that these problems have to be documented from the commencement of any ID project, and that gathering on-the-ground stories and anecdotal evidence is a good way to achieve this. There were also suggestions that the Geneva Convention could be updated to include data and identity, and observed that it is necessary to return to basic questions of why we have ID, how to limit its use, which issues it may not be able to solve, etc. The discussions on privacy focused on the differences between digital IDs and legal IDs, the use of biometrics in ID systems, how privacy principles could address these concerns, and mandatory and voluntary uses of Digital ID.