The UK government is planning a comprehensive national digital ID scheme. Judging by the experiences of countries further down this route, it will need to tread very carefully
In November 2020, the Indian government proudly announced that 1.2 billion citizens had been profiled by the nation’s digital identification scheme. While this was an impressive return for the Aadhaar system – described by the World Bank’s former chief economist, Paul Romer, as “the most sophisticated ID programme in the world” – the scheme had still left behind millions of people, many of whom were the most vulnerable members of society.
Activated in 2010, Aadhaar combines a 12-digit ID number with biometric iris scans and fingerprint data. But, given that leprosy remains a problem in rural India, many people cannot supply fingerprints. For instance, Harshabati Kheti, a 68-year-old woman living in the eastern state of Odisha, was unable to authenticate herself for ration distribution as she had no fingers, meaning that she was denied food and other welfare services for nearly a year, despite having a disability certificate.
The Marginalized Aadhaar report, written by documentary filmmaker and human-rights campaigner Subhashish Panigrahi, revealed that the system was also of limited use to the 800,000 Soras Indians living in Gajapati, a rural district of Odisha, who speak only a regional dialect and rely on a local herald to deliver them the news each day.
In the northern state of Uttar Pradesh, Aadhaar declared nearly 6% of the population – 1.9 million people, mostly Muslims – illegal overnight. It was also where 200,000 tonnes of state-supplied foodstuffs were pilfered using fraudulent ID numbers, diverting rations away from the needy and on to the open market.
While India should still be lauded for bounding so far ahead with its digital ID scheme, other nations can be forgiven for proceeding with relative caution as they seek to avoid the types of problems encountered during Aadhaar’s roll-out.
Dr Ana Beduschi, an associate professor of law at the University of Exeter, is leading research into the legalities of Covid passport schemes (see below, “How close is the UK to vaccination passports?”). She observes that digital ID technologies are not inherently neutral and can aggravate existing inequalities, working against the very people whose rights they’re designed to protect.
“Research demonstrates that, although most citizens have found India’s programme easy to use, a sizeable minority have encountered problems with biometric authentication,” she says.
The UK government published plans for a comprehensive digital ID programme in 2020 and has since sought bids for a £4.8m contract to produce an app. This follows advanced ID schemes in Estonia and other embryonic programmes in Australia, Canada and New Zealand.
In theory, a secure digital ID system would enable British citizens to simplify interactions between themselves, businesses and public authorities. So says Christopher Ansara, founder and CEO of Alt/Ave, a specialist in secure digital document distribution.
“Having a digital ID is key for modernising public health services through remote online authentication,” he says. “It will also be incredibly useful within financial services, collecting confidential customer data and improving administrative efficiency by reducing paperwork and human error.”
But one of the criticisms levelled at Australia’s planned digital ID programme is that the government wants the scheme to link no fewer than 80 diverse services.
Bruce Esposito is a strategist in identity and access management at US software firm One Identity. He believes that creating a monolithic system that unwittingly over-identifies the public should be avoided. This is what happened in the US with the marriage of social security numbers and the credit system, a situation in which too much information became far too easy to obtain. Pages of data were transferred – regardless of need – in each transaction.
The UK should apply what’s known as contextual integrity in its digital ID scheme, storing as little information as possible and transferring only what’s needed for each party, he argues. “A healthcare provider may need to know a person’s sex and weight, for example, but a retail provider would not. Conversely, a retailer may need to know a person’s income, as reported on tax forms, in order to extend credit, but the healthcare provider may not need to know this.”
Smartphones are enabling this level of functionality already, becoming a de facto digital ID for their owners, Esposito adds, although concerns remain about how much personal data they allow to be shared with third parties without users’ knowledge, let alone consent.
In a period when Westminster spent £37bn on the roundly criticised NHS Test and Trace system, does the UK have the wherewithal to create an effective and trustworthy ID system? Over the past year, the government has faced data-breach scandals ranging from the prime minister’s leaked text conversations with Sir James Dyson to the Ministry of Defence’s failure to protect the identities of 250 local interpreters who’d helped the British Army in Afghanistan.
Many large enterprises simply aren’t careful enough in protecting the data at their disposal, argues Trevor Morgan, product and marketing manager at Comforte, a specialist in cybersecurity.
“Most of these organisations aren’t necessarily experts in data security practice,” he says. “The most obvious way for them to engender mistrust is to get involved in a data breach that could have been prevented with a little knowledge and effort.”
Even companies with expertise in secure data handling can fall foul of the rules. In 2017, for instance, the UK Information Commissioner’s Office deemed a partnership between Google’s DeepMind division and the NHS illegal for its “overly broad sharing of data”.
The best way to protect sensitive information against ever-more sophisticated attacks from cybercriminals isn’t to squirrel it away behind guarded perimeters but to impart protections into the data itself, according to Morgan.
“Data-centric techniques such as encryption are well known, but these can come with a lot of operational overheads,” he says. “Protection methods such as tokenisation are much better. This replaces sensitive elements with innocuous representational tokens while preserving the original data format, which makes it much easier and cheaper for business applications to use.”
To address privacy concerns, the UK needs to empower citizens with a “self-sovereign identity” that enables them to retain control of how their data is used, argues Esposito.
“A person should be able to own and control all aspects of their identity – which information is shared, where it is held and – most crucially – when it is forgotten,” he says. “Individuals shouldn’t be asked to cede control over their identity to any one organisation.”
The government’s ability to position itself as the conscientious guardian, rather than the secretive user, of the people’s data will ultimately decide the UK’s digital ID future.
How close is the UK to vaccination passports?
Where we are now
As the world edges towards the adoption of Covid passports, the UK is divided on the need for them. In November, Wales joined Scotland in requiring people to give proof of vaccination to be granted entry to venues including theatres and restaurants. While England has resisted such measures, Westminster has indicated that people would need a third jab to be deemed “fully vaccinated”, even though booster doses are available only to over-40s at the time of writing.
What might happen next
Passports could still be introduced under the government’s so-called plan B this winter if there is a sharp increase in the rate of infection. Residents across the UK can already prove their status using the NHS App, which generates a Covid pass that shows the user’s vaccination details and/or test results.
Factors militating against passports
Public mistrust in how the state uses its technology could be a big barrier. Last year, North Dakota’s contact-tracing app, Care-19, was found to be covertly sending users’ data to third parties, for instance, while the municipal government of Suzhou, China, used CCTV and facial-recognition software to identify and shame people engaging in the “uncivilised behaviour” of going out in their pyjamas.
“This example is benign when considering the more obvious reasons why an authoritative government would have an interest in implementing a unified identity to track its citizens,” says Bruce Esposito.
Westminster will need to demonstrate to the public that data privacy considerations are no mere afterthought, according to Ana Beduschi.
“Policy-makers should also ensure that accountability and the adjudication of grievances are available and effective, reinforcing governance mechanisms within digital identity frameworks,” she says.