Questioning the Appropriate use of Digital Identity
The COVID-19 crisis highlights risks of inadequate governance and technological guardrails
If not safeguarded, large-scale, digital ID innovations that collect personally identifiable information can lead to violations of an individual’s privacy. Therefore, they need to be carefully considered and narrowly scoped. To help define this delicate balance, we provided grants to a three-country research alliance last May. The objective of this alliance is to better understand the appropriate uses of digital ID in emerging markets. In the past year, the researchers have been exploring what Good ID looks like in emerging markets. Today, COVID-19 presents an opportunity to apply these insights to a complex, real-world situation, and we have provided additional funding to CIPIT and ITS Rio to evaluate eight COVID-related uses of data and digital ID.
Read the first of many case studies by ITS Rio evaluating a government-sponsored monitoring app in Colombia.
We believe that public digital infrastructure has an important role to play at this time:
- Digital payment systems have enabled governments to swiftly deposit money into the bank accounts of vulnerable populations to help them cope with the economic shock.
- Governments are using digital ID system to authenticate program recipients and allocate limited resources among their citizens.
- Governments are using contact tracing to identify, trace, and test residents who have come into contact with infected people as a means to slow the spread and treat them.
- For similar reasons, mobile companies are sharing geolocation data with governments to help them track trends in movement and COVID-19 hotspots.
- Governments are creating apps and social media chatbots that provide COVID-related information to its citizens.
- Both governments and businesses are encouraging digital and contactless means of doing business, including contactless payments and digital signatures.
That said, without the right institutional governance, technologies that use our digital identities can lead to many kinds of risks and harms, especially at a time like this. For example, Colombia’s COVID-19 information app perplexingly collects identity information like name, sex, date of birth, ethnicity, and email. Several individuals had their identity inadvertently disclosed by South Korea’s contact tracing app, resulting in public embarrassment. Unthoughtful reliance on digital ID systems for these innovations can also exacerbate existing challenges with the exclusion of vulnerable populations from services, especially for those who the lack a digital ID or cannot authenticate themselves biometrically.
Finally, we need to ask how government-led, digital interventions that collect identity information will change the citizen-state relationship in the long run. In the Information Age, both public and private institutions derive power from data-based intelligence. If unchecked, this power can have a long-term, second-order impact on civil liberties and human rights. Therefore, governments should introduce new uses of digital ID only with the right checks and balances.
The research alliance that started investigating the appropriate use of ID last year has shaped our thinking on this issue. While each research partner will incorporate its own geographic nuances, we see a few common threads across their research.
We believe that policymakers should ask the following questions before every use of data and digital identity to fight COVID-19:
Data and digital identities should be used only when it is necessary and beneficial to society, especially after accounting for the risks and costs of doing so. Before considering such deployments, policymakers should determine:
- Is the technology being deployed to serve a legitimate state aim, such as controlling the spread of the disease or ensuring efficient welfare delivery?
- Is the stated aim specific enough?
- Will civil society and independent media be able to evaluate the government’s success in meeting the expressed aim?
- Are there alternative ways of achieving the aim, without collecting personally identifiable information? What are its costs and benefits?
Since some uses of data and digital identity can be an intrusion into an individual’s privacy, such intrusions must be minimal. This requires a careful cost-benefit analysis, which in many cases will be highly subjective. Those deploying ID-based systems should therefore evaluate the following questions:
- Is the program collecting the minimal amount of data it needs?
- Are there mechanisms to limit access to data to only those who need to see it?
- Will data collected under the program be deleted after a pre-determined period?
- Is there a sunset clause delineating when data collection programs must end?
Every use of data and digital identity should be enshrined in law. Having such a law limits the entire process, makes it transparent, and allows courts, civil society, and the media to examine both the policy and its implementation. Governments need to ask the following questions:
- Does the law clearly identify all actors who will either collect, see, or process data?
- Does the law provide redress mechanisms for aggrieved individuals?
- Is there a mechanism for the judiciary or legislature to keep the government accountable?
We believe that such transparent, accountable, and trust-building practices are necessary before using data and digital identities in the fight against COVID-19 – and gets to the heart of what Good ID is and needs to be.
As CIPIT and ITS Rio share their evaluations of how digital identities are being used to respond to the crisis, we will link them here and share them @OmidyarNetwork on Twitter.
- ITS Rio case study on two banking apps linked to social benefit payments in Brazil
- ITS Rio case study on three government-sponsored digital initiatives in Peru
- ITS Rio case study on a government-sponsored monitoring app in Colombia
- ITS Rio case study on a health app from Ecuador that resulted from a public-private partnership