Digital identities

AI and digital identities

AI enhances digital identity schemes through advanced identification techniques, providing accurate and speedy verification while also posing risks such as tracking, profiling, bias, and potential manipulation.

AI enhances digital identity

AI offers a wide range of techniques to help with the identification of persons. Such techniques include biometric recognition of the face, voice, and fingerprint, as well as behaviour analysis and pattern recognition. By analysing large amounts of data in real-time, such AI systems can verify a person’s identity with greater accuracy and speed than traditional methods. This way, AI improves the protection of digital identities by preventing unauthorised access. 
The use of AI in the digital realm is increasingly key to the creation and management of hyper-avatars, which serve as an online/digital manifestation of one’s identity. Presently, individuals typically lack complete ownership and control of their digital identities on the internet. To enable seamless movement between multiple platforms, owning and controlling one’s digital identity is essential, particularly when such identities incorporate biometric data.

AI can endanger digital identity

There are several ways in which AI can endanger digital identity. Tracking and profiling of individuals, coded bias or errors in the identification process are among the main risks when AI is used to identify people. Bias and errors can lead to harmful consequences in job searches, credit applications, and even law enforcement. Furthermore, cybercriminals can take advantage of weaknesses in AI models utilised for verifying digital identities, resulting in unauthorised entry, stolen identities, and impersonation. And even when AI is not used as part of the digital identity solution, malicious actors could use AI to hijack or manipulate a person’s digital identity. Moreover, deepfake technology powered by AI algorithms enables the creation of realistic fake content that can be used to manipulate and impersonate individuals, undermining the integrity of digital identity systems. Learn more on AI Governance.
Digital identities refer to the identification of people using digital information. Your digital identity can be self-created (e.g. social media networks), created by service providers (e.g. mobile network operators who issue unique mobile phone numbers to subscribers), or issued by your government. Government issued digital identities are also one’s legal identity. A legal identity, typically in the form of passports, birth certificates, and national identity cards, is the recognition of an individual by the state. A legal identity affords you access to services offered by the government and private providers; for example, travel, bank accounts, and educational opportunities. The main driver for digital ID globally is the aspiration to account for every person in line with the sustainable development goals (SDGs). An indicator for SDG 16.9 is to issue a legal identity to every person by 2030.

Digital ID involves both the identification and the authentication of persons. To identify a person, they are required to be enrolled so that their identifiers can be stored in a database for future reference.

There are three main approaches to authentication: using something that the person knows (for example a secret number), something that the person has (such as a mobile phone), or something that the person is (their physical features).

Technologies applied in digital ID include biometric data such as fingerprints, earlobes, iris, and face photos. Some countries, such as Kenya, South Africa and the UK, have also attempted to collect DNA. GPS is used to track peoples’ locations, while artificial intelligence such as facial recognition software is used to process the data collected. Countries such as China, Estonia, Ghana, and Philippines issue cards which contain information about the person, while others such as Nigeria are using mobile phones and apps.

Large scale national digital ID programmes that use biometric data require algorithms to match people with their stored credentials. Many low and middle income countries (LMICs) do not have this capacity and depend on companies such as OT Morpho to provide the algorithms.

It is estimated that governments will have issued about 5 billion digital IDs globally by 2024. A majority of governments that have issued digital IDs are LMICs in Africa and Asia.

Most LMIC governments that have adopted centralised ID envision a single source of personal identity about every person in their jurisdiction. Many of the countries adopting this model, for example Venezuela, are inspired by China,which is building a social credit system from digital ID.

The largest national digital ID system is Aadhar of India. Aadhar records the biometric and biographical data of an individual and issues a card, which together with biometric identity, is used to identify them as they access government services. The system is currently used for social welfare programmes such as food distribution. Private actors such as banks were also requiring mandatory use of Aadhar until this was limited by a judgement of the Supreme Court of India in August 2017. This followed a petition contesting the increasing requirement for digital ID in order to access services.

Similarly, the Supreme Court of Jamaica in April 2019 invalidated a digital ID law that envisaged centralised registration of all Jamaicans. The court declared that the system went beyond the purposes of government identity, that is, to identify persons as well as to validate identity documents presented by persons.

High income countries such as the US and the UK have adopted decentralised digital ID systems, with some such as the UK and Germany having previously avoided centralised digital ID. Besides internal population management, decentralised digital ID is used in immigration management. Many countries including the USA, UK, and the EU use biometric identification in visa applications and related processes.

Estonia has a sophisticated digital ID system, which is federated. Estonia’s system choices are influenced by its recent history of seceding from the Soviet Union, as well as traditions on protection of privacy.

Besides state issued digital ID, private systems such as social networking sites and mobile networks also provide a form of digital ID. In June 2019, the US government passed a regulation requiring visa applicants to disclose their social media and email accounts.

The fusion between state issued digital ID and private systems is often aided by legislation. Many African and Asian countries have mandatory SIM card registration laws that require one to provide their state issued ID in registration of their SIM card. In Kenya and Uganda, mobile network operators, banks, and financial institutions are required to verify state issued ID whenever customers carry out transactions such as mobile money transfer.

Digital ID can assist states in more efficient governance. With the data collected as people seek services from government agencies, governments can better understand their functions, anticipate their people’s needs, and direct resources to where they are most needed. Such information can be applied in planning for future generations, designing disaster and emergency response, and building new economic activities.

Read more about inclusive finance.

However, digital ID also increases government surveillance capabilities, providing the means to monitor and stifle dissenters, politically manipulate sectors of the population, and provide services discriminately.

The intersection of legal identity with technology has raised many concerns. Chief among them is the privacy and data protection. There are fears of surveillance by states as they acquire more granular data on people. Where data design and collection is flawed, sections of citizens (most often marginalised groups) are excluded from databases and consequential services. If not designed carefully, digital ID programmes can create databases that may easily abrogate a citizen’s rights to informational privacy and autonomy. As states continue to centralise data collection and analysis, the risk of the data being misused also increases (for example unwarranted surveillance). The ‘single source of truth’ or single provider model requires extensive data collection and for the various databases to be interconnected, contrary to responsible data-sharing practices. The problem is compounded when a country does not have a data protection framework.

Digital ID has the potential to be a socially enabling force or act as a means of information control. To ensure that it is socially beneficial, there is a need for safeguards to protect against the misuse of identification data. Among solutions being proposed is shifting the control of digital ID from government and private actors to the person. This requires that digital ID systems are designed for privacy, giving the person control over who accesses their data.

Another proposal is self sovereign identity (SSI), where individuals store their digital ID in virtual wallets and provide their identity information when required. Once produced, the identity is used for authentication but not stored with the service provider. This enhances the users autonomy. SSI is built around principles of control, access, transparency, persistence, portability, interoperability, consent, minimisation, and user protection. Blockchain technology is another mechanism for autonomy promoting identity, as it stores information on how one’s identity is used.

The World Bank and other partners have published principles on sustainable identification. These principles fall under three broad categories: inclusion, design, and governance. On inclusion, the principles call for universal coverage and removal of barriers to acquiring official ID. Under design, they envision a robust (i.e. unique, secure, and accurate) identity that is interoperable and responsive to the needs of various users. They also call for open standards and ensuring vendor and technology neutrality, privacy by design, and financial and operational sustainability. On the issue of governance, the guidelines call for data privacy, security, and user rights through a comprehensive legal and regulatory framework, including clear institutional mandates,  accountability and independent oversight, and a means for the adjudication of grievances.

Read more about Blockchain.