A blogpost by Valerie Khan, digital identity advisor.

Posted 15 October 2018 by

A primary purpose of a legal identity is to empower all individuals to have access to rights, services and the formal economy. Digital identities are necessary in a developed nation that tries to provide its citizens with a secure, safe, convenient and reliable platform. However, less developed nations are in similar needs and are rapidly digitising. On one hand, the World Bank has identified about one billion people without identity, on the other hand, governments around the world are recognizing the benefits of upgrading their traditionally limited and paper-based ID records. They witness incredible growth in countries like Estonia from a former USSR nation to a digital flagship or the incredibly fast digital registration of over a billion people in India.

Yet, these benefits are coming at an increasingly growing cost that puts the public at risk. This is because a digital identity is made up by information that by definition contains personal data. And digital data has become the target of many attacks. Almost 15 billion records were reported lost or stolen since 2013, though the real number is far higher. Around 71% of these records are referring to identity theft and account access. The most infamous case happened 2017 in the US at Equifax. It resulted in a data theft of 143 million consumers’ personal data that could be used to open bank accounts, apply for loans and similar liabilities. This is particularly important because credit bureaus such as Equifax are used throughout the industrialised world as a reference source for the creation and issuance of digital identities. If the confidentiality of such data is lost, then the underpinnings of our digital identities become very insubstantial.

Governments suffer the second highest rate of breaches[1].  A massive breach of note exposed the data of 191 million voters during the 2015 election process in the District of Columbia. We are just starting to understand the implications of these breaches, and examples like Cambridge Analytica show that access to personal information is a bigger risk for democratic, social and economic stability beyond the individual risks for citizens.

Why are governments targeted and compromised so easily? Too often, personal identifiable information is stored in central databases where access to one database provides an attacker with a variety of information attached to each person, including, implicitly, the links between the different kinds of information. As the number of links among different kinds of information increases, so does the value of accessing the dataset.

The mild public reaction to these breaches is somehow surprising considering that both identity and privacy are human rights. The right to personal identity was captured in 1948 by The Universal Declaration of Human Rights to preserve the biological and philosophical elements of all human beings. Privacy is also a human right recognized in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. Nearly every country in the world recognizes the right to privacy explicitly in its constitution.

This dichotomy of human rights offences and a lax response results in lost trust between people and their communities and governments. But trust matters. In a world that is much defined by measurable impact indicators, trust seems to be an un-measurable benefit. But that is a misunderstanding as creating trust carries huge advantages.  It is worth understanding them. For example, the main reason for developing countries not winning foreign direct investments is because investors do not trust local structures; millions of users deleted their Facebook accounts after they lost trust in the company’s data protection standards; in Tunisia plans for a biometric national ID card were withdrawn following privacy concerns. In fact, markets depend on trust to operate smoothly.

“If you take a broad enough definition of trust, then it would explain basically all the difference between the per capita income of the United States and Somalia,” ventures Steve Knack, a senior economist at the World Bank who has been studying the economics of trust for over a decade. That suggests that trust is worth $12.4 trillion dollars a year to the U.S.

So, what can be done to win back the trust around digital personally identifiable data? The European Union recently set an example through its extended definition and protection of ‘Personal Data’ as part of the General Data Protection Regulation (GDPR). The EU holds a unique leadership position in how it addresses digital data connected to identity, both from a human rights perspective as well as in its implementation. Rather than focusing on short-term benefits, the EU takes a long-term sustainable view based on a privacy-by-design approach. Counter-arguments for the wider adoption of stronger privacy laws and their accountability are usually related to the fact that other countries and regions are not suitable or not yet able to adopt these changes due to different ecosystems, infrastructures or values.

But privacy is not an option, so how can less developed countries be supported in their quest to meet these higher standards. Two examples can be:

  1. The World Bank is one of the major convenors to overcome the identity gap in a principled manner. In November they will be launching a call for ideas to find solutions that can serve privacy whilst combine them with the pressing issues and shortcomings on the ground. Get involved in the Mission Billion Challenge on ‘Privacy by Design and Greater Control of Personal Data’.
  2. Building on the unique leadership position, the EU and its individual member states should more actively support implementers in striking the balance of cost and benefit. The value that the EU offers its citizens has a far greater potential to be exported and there is a strong need for advocacy beyond the European countries. This is a great opportunity for the global community to accelerate the discussion. It is also an opportunity for the EU to be further recognised for its work around sustainability, ethics and empowerment.

[1] 18% of total breaches in 2017. See https://www.breachlevelindex.com/

Valerie Khan is an independent consultant and researcher on digital identity with a focus on data protection and privacy in less developed regions. She spent over two years at the UN World Food Programme applying a research-based methodology to identify the best practice approach for implementing digital identity in a humanitarian and development environment. She is currently advising the World Bank Identity for Development (ID4D) team and the German Corporation for International Cooperation (Gesellschaft für Internationale Zusammenarbeit GIZ). She is also a working group member of the ICRC ‘Handbook on Data Protection’ and a guest lecturer for the 2018 UCL Blockchain Executive Education Programme on Blockchain for Identity.  You can find out more about Valerie here.