Why a ruling on digital ID by Kenya’s High Court has global implications for online privacy
Gretchen Bueermann and Giulia Fanti
For the estimated 1 billion people worldwide without a legal ID, digital identity programmes provide a unique opportunity for increased inclusivity, better financial participation, and wider access to government resources and initiatives.
However, for the countries implementing these programmes, the associated benefits come with a host of thorny tradeoffs surrounding privacy, security and logistics.
Following a landmark ruling by the highest court in Kenya in 2021, which concluded that the rollout of a country-wide biometric ID scheme was illegal, many countries continue to grapple with the legal, regulatory, and ethical boundaries of national identification systems.
Nationally, many countries lack clear legal precedents to govern processes and infrastructure in the digital identity space, and international consensus is just as, if not more, jumbled.
The Kenyan case echoes challenges faced by the EU, the US, and other governing bodies when it comes to digitization of national ID programmes, and the subsequent expectations of privacy for individuals and groups.
Kenya’s digital ID scheme ruled illegal
Kenya’s digital ID programme, called the National Integrated Identity Management System (NIIMS), was ruled illegal by the highest court because there was no clear documentation of the data privacy risks, nor was there a clear strategy for measuring, mitigating and dealing with those risks.
Related concerns about data privacy and security have arisen in other digital ID platforms as well. For example, India’s Aadhaar is the world’s largest biometric digital ID system.
Registration is linked to biometrics and demographics, and can connect to services including SIM cards, bank accounts, and government aid programmes, making financial systems more inclusive.
Despite these advantages, Aadhaar has seen pushback regarding feasibility and privacy. For example, there are concerns that the Aadhaar database can be used to profile ethnic minorities or violate the privacy of residents.
Issues faced by many national digital ID systems
The Kenyan NIIMS ruling and experiences from other global digital ID platforms highlight three major recurring issues that characterize many national systems:
- Keeping too much personally identifiable information in one place creates new and major targets for potential attacks, including data exfiltration.
- Many countries lack the security infrastructure to protect sensitive data and maintain rigorous privacy standards.
- National digital ID programmes open the door to the further exclusion of vulnerable groups, based on factors like demographics (such as ethnicity) or socioeconomic status (for example, digital connectivity).
At their core, these concerns stem from the centralization of data, which increases the likelihood and potential damage of external cyberattacks. It also increases the viability of insider threats and lowers barriers to systematic discrimination from within government.
Reasons to reduce centralization of ID data
These threats become even more pronounced to the extent that digital ID platforms are linked to different services and use cases within a nation. As digital ID systems become more prevalent, there are compelling reasons to reduce the degree of centralization inherent to their architecture and operation.
However, managing and mitigating the degree of centralization in digital ID systems is highly nontrivial; the design space is vast, with subtle tradeoffs. Nation states should consider both technical and nontechnical approaches to manage centralization of ID databases.
First and foremost, to navigate this complex landscape, a multi-stakeholder approach should be taken to consider a variety of voices before rolling out new digital ID programmes. For example, many digital ID schemes (such as Estonia’s, Aadhar and MOSIP) were developed through public-private collaboration.
Access controls for digital ID systems
Many governments simply do not have the in-house capacity to roll out and maintain a new digital ID system. At the same time, care must be taken when outsourcing development and maintenance.
ID systems are critical infrastructure, and once governments are locked into a vendor, it can be difficult to back out or make changes, due to technical debt and interoperability requirements with downstream users.
From a technical standpoint, one technique for reducing the implications of data centralization involves partitioning databases and enacting appropriate access controls. This enables a database of digital IDs to be split according to attributes, such as the region where the identifier was first registered.
Operators can be given access to only a subset of the data. Such access controls reduce the damage that any single malicious agent can exact, at the expense of greater system complexity and fragmentation.
Mitigate risks of biometrics through encryption
However, access controls alone are not enough to mitigate the risks associated with storing sensitive ID information, such as biometrics.
A major risk surrounding biometrics in particular is that if, and when, an attacker obtains these credentials for a victim, they may be able to impersonate the victim indefinitely, since a user’s biometrics do not change.
These risks can be mitigated using emerging technologies like computation over encrypted data with rotating keys. For example, homomorphic encryption could be used to store only encrypted iris scans and conduct authentication over encrypted data – thereby significantly reducing the information that is available to the ID database operator, as well as to potential hackers.
Standardize ID systems for better interoperability
At the other extreme, a significant problem with existing ID solutions today is their lack of interoperability, both across nations and services. For example, registration systems for nationalized healthcare do not necessarily communicate with systems for government aid.
The fragmented state of digital ID systems inherently limits data centralization, but it can also hamper their potential benefits. Possible solutions to this problem include standardization of digital ID.
For example, MOSIP is intended to be an open-source digital ID platform for multiple nations and use cases. Others have proposed decentralized, interoperable architectures for storing digital identifiers.
These architectures would enable existing ID issuers to issue their own identifiers while maintaining ID databases in a decentralized manner – for example, on a blockchain maintained by different stakeholders.
Decentralized ID systems may pose challenges
Such technologies are relatively untested compared to more classical databases, and could introduce new challenges surrounding governance and database maintenance.
Notice that decentralized architectures do not inherently help with the problem of centralized data aggregation; many blockchain-based data storage architectures are designed mainly to provide transparency, not confidentiality.
Privacy considerations, and well as the potential for exploitation, are incredibly important when it comes to building inclusive and valuable national digital ID systems.
Privacy vital for digital ID platforms
This infrastructure has the potential to generate value and usher in a new era of legal, digital and financial inclusion.
However, there must be a solid foundation of data protection, decentralization, and an environment of digital trust for these programmes to succeed.
The Kenyan courts have simply done the work for the rest of their peers by flagging these issues at the outset.