DIGITAL IDENTITY: A RIGHTS-BASED EXPOSITION (PART II)

Everyone has the right to recognition everywhere as a person before the law[1]. The element of registration is critical to the realization of this right, as it provides a secure and trustworthy way to prove one’s identity. To this end, establishment, strengthening or reform of national identification systems (including civil registries) are taking place in multiple countries.

National identity schemes can be defined as “government-initiated programs that assign a unique identification number to each targeted participant, which is used for identification verification”[2]. Over 160 countries[3] so far have some form of national identification system, be it i) digital or physical; or ii) mandatorily imposed or merely encouraged. Some have none at all. Recently we have witnessed the rise of government-initiated and administered programmes to provide a single digital identity to residents and/or citizens of a country. Many such programmes entail a push to collect, store and use the biometrics of individuals as the primary means of establishing and authenticating their identity[4].

As stated in Part 1, identification plays an important role in facilitating citizen interactions with government and private organizations. Robust citizen identification is meant to improve service delivery, reduce the pilferage in government subsidies, ensure the inclusion of right beneficiaries, increase tax collection, enhance a country’s security posture and improve delivery of social programmes[5].

Despite these compelling motivations, an overwhelming majority of low- to middle-income countries lack adequate systems to register births or uniquely identify people living within their borders. Where identification systems exist, they are often fragmented across several functions and agencies, leading to duplication and inefficiencies[6]. The World Bank is a proponent of centralized digital identification systems, and maintains that it is a critical enabler for achieving development outcomes by providing access to finance, healthcare, education, and other crucial services and benefits; and posits that it can even help developing countries leapfrog traditional-paper based approaches to build stronger and more efficient 21st century systems[7].

However, critics have responded by cautioning that such national digital identity schemes “may not in fact ensure more effective distribution of benefits, better service delivery, or improved governance” and at the same time they raise serious concerns, including apprehensions about how such programmes are designed or governed; the potential for social exclusion; privacy and data protection; and cybersecurity.”[8] These and other concerns will be discussed in this piece.

Kenya recognized that there was an urgent need to eliminate fragmentation of registration information which existed across different agencies, both primary and secondary[9]. Ideally, a digital identification system should be integrated with civil registration, which is the official recording of births, deaths, and other vital events including marriages, deaths, divorces, annulments, separations, adoptions, legitimations, and recognition[10]. After the establishment of a National Population Register (NPR) with data on all Kenyan citizens and foreign residents, the government sought to fully roll out the second component which is a unique identifier that is to be assigned to every person’s record at birth, which then acts as a reference in all transactions regarding that person from then on[11].

The Integrated Population Registration System (IPRS) compiles and links these datasets, making it easy for government agencies and private institutions to access individuals’ entire registration and identification records using a single personal identification number — the national ID number. The IPRS system is expected to boost business and enable the government to provide adequate and efficient socioeconomic services to citizens. Kenya’s additional motivations for the single ID, owing to its unique geographical positioning and socio-economic context, is to curb corruption, trafficking, money laundering and financing of terrorism[12].

However, no matter how persuasive these arguments may be or appealing the incentives, those concerned about the governance of digital rights such as Access Now[13] warn that such programmes pose significant risks for human rights. In particular, they threaten to undermine the right to privacy ​and chill ​freedom of movement, the freedom of expression​, among others.

For instance, and as discussed in Part 1, collection of biometric data is not the sole preserve of governments, it is also undertaken by multilateral agencies to identify and verify identity. Agencies like UNHCR do so to feed, shelter, protect and administer large groups of refugees and displaced persons. However, for those fleeing conflict or persecution, should this highly sensitive information fall into the wrong hands — whether as a result of data sharing agreements, leaks or criminal hacking — the consequences could be dire. This was the case when a list of refugee students who had fled the Democratic Republic of Congo was shared by the UNHCR with the government of the Central African Republic[14] from whence the students had fled, potentially putting them at risk. Presently as pertains to the Rohingya people, the biometric data collected is not only being used to distribute aid, but also to control their movements.

Another example of how biometric databases may actually threaten fundamental rights was seen when the Government of Kenya sought to conduct a HIV study the purpose of which was to fill gaps in documentation and insights relating to key populations[15], in order to enable better targeting of resources. A report entitled “EveryOneSaidNo”: Biometrics, HIV and Human Rights — A Kenyan Case Study, highlighted

i. the risk of function creep in use of biometrics (with data collected for health purposes potentially being used by police to target key populations for arrest);

ii. the risk of data breaches that could expose stigmatized populations publicly to their families and communities;

iii. the resulting risk of discrimination, including in access to government services; about the relationship between the state and private sector in biometrics data-gathering; and

iv. the need for meaningful informed consent and participation by communities in decisions that affect their health and rights.

In fact, while seemingly benign (and prima facie beneficial), health sector databases and the innovation around such systems are a source of great controversy — as was the case a decade ago in Iceland, and recently in Australia — especially around the crucial matter of consent.

Such cases act as cautionary tales. Access Now in its report has noted that such systems typically entail the creation of centralized troves of sensitive personal data, making them susceptible to breach by malicious actors or abuse by public authorities, and in addition, carry risks for ​cybersecurity and information disclosure​. Such centralized programmes “have the potential to turn a digital ID into a pervasive means of identification, tracking, or control, especially when such identities are biometrically linked and made mandatory”[16].

Returning to the mandatory/voluntary dichotomy: the mandatory nature of the documents the subject of these systems raises concerns about yet other civil liberty infringements.

In some countries, it is mandatory to be in possession of an identity document once one attains a certain age. Failure to produce one upon request by an authorized agent or officer can attract penalties. National identity systems present difficult choices about who can request to see an ID card and for what purpose. Mandatory IDs significantly expand police powers. Police with the authority to demand ID are invariably granted the power and discretion to detain people who cannot produce one. Many countries lack legal safeguards to prevent abuse of this power[17]. One organization has even stated that “the requirement to produce identity cards on demand habituates citizens into participating in their own surveillance and social control”[18]. This is reminiscent of Kenya’s kipande system[19].

But the fact is that, even those who acquire identification documents voluntarily cannot, debatably, be said to actively choose to be a part of the system. Instead, it may a false dilemma. Considering the multiplicity of spaces one must produce identifying information, it should be considered de facto mandatory. The Australia Card campaign referred to the card as a license to live. A necessity for life[20]. And for life it is. A UK privacy campaigner penned that one cannot “apply for [it] without also applying to be entered, for life, on the national identity register”. One cannot fill in a form and apply to enforce their right to be forgotten. The right to erasure is distinct from the right to privacy, due to the distinction that the right to privacy applies to information that is not publicly known, whereas the right to be forgotten involves removing information that was publicly known at a certain time and denying third parties access the information[21]. In fact, privacy has been aptly described as “the power to selectively reveal oneself to the world.”[22] What obligations do states which gather identifying data from its residents and citizens owe?

The Puttaswamy case[23] — which challenged that the Aadhaar scheme was incompatible with the fundamental right to privacy — is illustrative here.

The Supreme Court of India in its landmark judgement pronounced that privacy has both positive and negative content. The negative content restrains the state from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the state to take all necessary measures to protect the privacy of the individual. It further opined that informational privacy is a facet of the right to privacy and that the dangers to privacy in an age of information can originate not only from the state but from non-state actors as well”[24].

More pertinent for our purpose presently is, what does the SCOI state about the right to be forgotten viz the database of identifiers? Whereas this right to control dissemination of personal information in the physical and virtual space should not amount to a right of total erasure of history, this right, as a part of the larger right or penumbra of privacy, has to be balanced against other fundamental rights like access to information, freedom of expression, or freedom of media, fundamental to any democratic society. Even the EU General Data Protection Regulation (GDPR) has recognized the right to be forgotten[25].

This does not mean that all aspects of earlier existence are to be obliterated, as some may have a social ramification. If we were to recognize a similar right, it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/ information is no longer necessary, relevant, or is incorrect and serves no legitimate interest. Such a right cannot be exercised where the information/ data is necessary, for exercising the right of freedom of expression and information, for compliance with legal obligations, for the performance of a task carried out in public interest, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy.

In Kenya, concerns about data protection and privacy have come to the fore in the recent past precipitated by the invasion of the political into users’ personal and social spaces in the form of unsolicited campaign messages and manipulative ‘apocalyptic attack ads’ during the protracted 2017 electoral period. Stakeholders were not only worried about the phenomenon of digital election campaigns in the country but about the larger picture as well, especially in the absence of a comprehensive legal framework governing data protection and privacy. Once again, we see the link between the civic imperative of participation in the political sphere, and ones’ digital identity and experience[26].

For the reasons enumerated above, and others, it is no wonder that states such as the United States, the United Kingdom, and Australia have vehemently opposed the introduction of centralized biometric identity systems/databases. Industry expert Nanjira Sambuli posed some crucial questions on her Twitter account regarding these nations. She inquired:

We would do well to interrogate the rationale behind these systems too.

The final installation of the ‘Who are you?: Exploring the digital identity ecosystem’ will analyze digital identity with regards to smart cities, smart policing and the mass surveillance capabilities and uses.

[1] Article 6 of the Universal Declaration of Human Rights

[2] Review of National Identity Programs (ITU-T, 2016)

[3] https://www.worldprivacyforum.org/2017/07/national-ids-around-the-world/

[4] Id.

[5] World Bank Group Identification for Development (ID4D) Making Everyone Count brochure available at http://pubdocs.worldbank.org/en/726141507833458171/ID4DBrochure101217.pdf

[6] Id.

[7] See the Kosovo example in Part 1

[8] National Digital Identity Programmes: What’s Next? (Access Now, May 2018 accessible at https://www.accessnow.org/cms/assets/uploads/2018/06/Digital-Identity-Paper-2018-05.pdf)

[9] In Kenya, identification information is housed in primary registration agencies such as the Civil Registration Department, National Registration Bureau, Immigration Department and Department of Refugees’ Affairs. Secondary registration information is found under NSSF, KRA, and NHIF as well as ORPP, IEBC, NTSA, HELB, and NEMIS.

[10] United Nations Department of Social and Economic Affairs (2014). Principles and Recommendations for a Vital Statistics System, Revision 3. Retrieved from: https://unstats.un.org/unsd/demographic/standmeth/principles/M19Rev3en.pdf

[11] http://www.president.go.ke/2015/03/11/integrated-data-system-to-make-e-government-a-reality/

[12] Id.

[13] National Digital Identity Programmes: What’s Next? (Access Now, May 2018 accessible at https://www.accessnow.org/cms/assets/uploads/2018/06/Digital-Identity-Paper-2018-05.pdf)

[14] https://www.wired.co.uk/article/united-nations-refugees-biometric-database-rohingya-myanmar-bangladesh

[15] The government research team had aimed to use biometric data to manage the risk of double-counting, in consideration of the fact that key populations tend to be highly mobile.

[16] National Digital Identity Programmes: What’s Next? (Access Now, May 2018 accessible at https://www.accessnow.org/cms/assets/uploads/2018/06/Digital-Identity-Paper-2018-05.pdf)

[17] The Electronic Frontier Foundation available at https://www.eff.org/issues/national-ids

[18] Id.

[19] Writing about this, lawyer Francis Monyango recalls: “Joseph Kamaru’s rendition of the Mau Mau song “Uhoro Uria Mwaiguire” tells of a community mourning the incarceration of war heroes who refused to have their fingerprints taken.” (https://www.nation.co.ke/oped/opinion/Biometric-data-collection-in-Kenya-risky/440808-4314544-uvfi2ez/index.html)

[20]. For example, the Indian Government even introduced amendments to the 2017 Finance Bill at the 11th hour, making Aadhaar mandatory for filing taxes, a key obligation as an adult citizen. The amendments stated “Every person who is eligible for an Aadhaar number shall, on or after the 1st day of July 2017, quote Aadhaar number “(i) in the application form for allotment of the permanent account number; and (ii) in the return of income”. Since then, however, a Delhi High Court directed the Central Board of Direct Taxes (CBDT) to accept e-filing returns without quoting an Aadhaar or Aadhaar enrolment number. And it has been reported that CBDT extended the deadline for the PAN-Aadhaar linking to March 31, 2019; before which there should be an “opt out” option for people filing their returns online. (https://indianexpress.com/article/india/delhi-high-court-directive-now-i-t-returns-can-be-filed-online-without-aadhaar-number-5274319/)

[21] https://en.wikipedia.org/wiki/Right_to_be_forgotten

[22] https://www.activism.net/cypherpunk/manifesto.html

[23] The Supreme Court recommended that the Union Government examine and put into place a robust regime for data protection. It stated that “the creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits.”

[24] Supreme Court of India Judgement in right to Privacy available at https://www.sci.gov.in/pdf/LU/ALL%20WP(C)%20No.494%20of%202012%20Right%20to%20Privacy.pdf

[25] Although Directive 95/46/EC does not explicitly guarantee “the right to be forgotten”, in the widely known Google Spain judgment the Court interpreted legal provisions of the Directive in such way which made it possible to satisfy the data subject’s complaint. In particular, the Court relied on data subject’s right of access to data (the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive) as well as data subject’s right to object, which obliged the operator of a search engine to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person. See https://inforrm.org/2018/05/31/right-to-erasure-right-to-be-forgotten-under-the-gdpr-the-danger-of-rewriting-history-or-the-individuals-chance-to-leave-the-past-behind-ketevan-kukava/

[26] The legal regime will no doubt be strengthened by the enactment of these laws this year. However, it should be noted that the Communications Authority did issue guidelines on prevention of dissemination of undesirable bulk and premium rate political messages and political social media content via electronic communications networks in 2017