Digital identities refer to the identification of people using digital information. Your digital identity can be self created (e.g. social media networks), created by service providers (e.g. mobile network operators who issue unique mobile phone numbers to subscribers), or issued by your government.
Government issued digital identities are also one’s legal identity. A legal identity, typically in the form of passports, birth certificates, and national identity cards, is the recognition of an individual by the state. A legal identity affords you access to services offered by the government and private providers; for example, travel, bank accounts, and educational opportunities.
The main driver for digital ID globally is the aspiration to account for every person in line with the sustainable development goals (SDGs). An indicator for SDG 16.9 is to issue a legal identity to every person by 2030.
Digital ID involves both the identification and the authentication of persons. To identify a person, they are required to be enrolled so that their identifiers can be stored in a database for future reference.
There are three main approaches to authentication: using something that the person knows (for example a secret number), something that the person has (such as a mobile phone), or something that the person is (their physical features).
Technologies applied in digital ID include biometric data such as fingerprints, earlobes, iris, and face photos. Some countries, such as Kenya, South Africa and the UK, have also attempted to collect DNA. GPS is used to track peoples’ locations, while artificial intelligence such as facial recognition software is used to process the data collected. Countries such as China, Estonia, Ghana, and Philippines issue cards which contain information about the person, while others such as Nigeria are using mobile phones and apps.
Large scale national digital ID programmes that use biometric data require algorithms to match people with their stored credentials. Many low and middle income countries (LMICs) do not have this capacity and depend on companies such as OT Morpho to provide the algorithms.
State and private identities
It is estimated that governments will have issued about 5 billion digital IDs globally by 2024. A majority of governments that have issued digital IDs are LMICs in Africa and Asia.
Most LMIC governments that have adopted centralised ID envision a single source of personal identity about every person in their jurisdiction. Many of the countries adopting this model, for example Venezuela, are inspired by China,which is building a social credit system from digital ID.
The largest national digital ID system is Aadhar of India. Aadhar records the biometric and biographical data of an individual and issues a card, which together with biometric identity, is used to identify them as they access government services. The system is currently used for social welfare programmes such as food distribution. Private actors such as banks were also requiring mandatory use of Aadhar until this was limited by a judgement of the Supreme Court of India in August 2017. This followed a petition contesting the increasing requirement for digital ID in order to access services.
Similarly, the Supreme Court of Jamaica in April 2019 invalidated a digital ID law that envisaged centralised registration of all Jamaicans. The court declared that the system went beyond the purposes of government identity, that is, to identify persons as well as to validate identity documents presented by persons.
High income countries such as the US and the UK have adopted decentralised digital ID systems, with some such as the UK and Germany having previously avoided centralised digital ID. Besides internal population management, decentralised digital ID is used in immigration management. Many countries including the USA, UK, and the EU use biometric identification in visa applications and related processes.
Estonia has a sophisticated digital ID system, which is federated. Estonia’s system choices are influenced by its recent history of seceding from the Soviet Union, as well as traditions on protection of privacy.
Besides state issued digital ID, private systems such as social networking sites and mobile networks also provide a form of digital ID. In June 2019, the US government passed a regulation requiring visa applicants to disclose their social media and email accounts.
The fusion between state issued digital ID and private systems is often aided by legislation. Many African and Asian countries have mandatory SIM card registration laws that require one to provide their state issued ID in registration of their SIM card. In Kenya and Uganda, mobile network operators, banks, and financial institutions are required to verify state issued ID whenever customers carry out transactions such as mobile money transfer.
The need for safeguards
Digital ID can assist states in more efficient governance. With the data collected as people seek services from government agencies, governments can better understand their functions, anticipate their people’s needs, and direct resources to where they are most needed. Such information can be applied in planning for future generations, designing disaster and emergency response, and building new economic activities.
However, digital ID also increases government surveillance capabilities, providing the means to monitor and stifle dissenters, politically manipulate sectors of the population, and provide services discriminately.
The intersection of legal identity with technology has raised many concerns. Chief among them is the privacy and data protection. There are fears of surveillance by states as they acquire more granular data on people. Where data design and collection is flawed, sections of citizens (most often marginalised groups) are excluded from databases and consequential services. If not designed carefully, digital ID programmes can create databases that may easily abrogate a citizen’s rights to informational privacy and autonomy. As states continue to centralise data collection and analysis, the risk of the data being misused also increases (for example unwarranted surveillance). The ‘single source of truth’ or single provider model requires extensive data collection and for the various databases to be interconnected, contrary to responsible data-sharing practices. The problem is compounded when a country does not have a data protection framework.
Digital ID has the potential to be a socially enabling force or act as a means of information control. To ensure that it is socially beneficial, there is a need for safeguards to protect against the misuse of identification data. Among solutions being proposed is shifting the control of digital ID from government and private actors to the person. This requires that digital ID systems are designed for privacy, giving the person control over who accesses their data.
Another proposal is self sovereign identity (SSI), where individuals store their digital ID in virtual wallets and provide their identity information when required. Once produced, the identity is used for authentication but not stored with the service provider. This enhances the users autonomy. SSI is built around principles of control, access, transparency, persistence, portability, interoperability, consent, minimisation, and user protection. Blockchain technology is another mechanism for autonomy promoting identity, as it stores information on how one’s identity is used.
The World Bank and other partners have published principles on sustainable identification. These principles fall under three broad categories: inclusion, design, and governance. On inclusion, the principles call for universal coverage and removal of barriers to acquiring official ID. Under design, they envision a robust (i.e. unique, secure, and accurate) identity that is interoperable and responsive to the needs of various users. They also call for open standards and ensuring vendor and technology neutrality, privacy by design, and financial and operational sustainability. On the issue of governance, the guidelines call for data privacy, security, and user rights through a comprehensive legal and regulatory framework, including clear institutional mandates, accountability and independent oversight, and a means for the adjudication of grievances.