IDENTITY IN THE FISHBOWL 2019: KEY TAKEAWAYS
By Dr. Joseph J. Atick, Executive Chairman, ID4Africa.
It was the perfect ending of a highly successful Annual Meeting. Once again, the last Plenary Session of ID4Africa 2019— Identity in the Fishbowl — was an anticipated highlight, just like each year since it was launched at ID4Africa 2016. For those new to this term, it is a debate session where the audience is the panel. During two engaging hours, the Fishbowl permits a motivated audience to provide reactions and input stemming from issues and themes raised throughout the 3-day conference and in so doing, has the potential to provide a crowdsourced summary of the key takeaway messages of the Annual Meeting.
While I have moderated the ID4Africa Fishbowl since inception, it is a session that continues to stir my excitement because of its unpredictable, energy driven nature which never fails to attract loyal fans as well as first timers eager to be part of what can only be described as a purely unique experience. I entered the session with one overarching concern – focus. Though channeling crowd dynamics is familiar territory to me, there is always a risk that the discussion could derail. In a room of over 500 attendees anxious to participate, one can never determine whether the crowd will share a coherent perspective on the priority topics slated for discussion. The audience could simply take the conversation in random directions, instead of advancing it forward towards a clear and present collective will.
Yet there was something dramatically new this year. No sooner had the session started, than it became clear I did not need to steer the conversation very hard — it flowed naturally and there was a collective energy that took over the hall and advanced the conversation forward. The conversation was not fueled by disjointed curiosities but was driven by an urgent need to know. It was sustained by practitioners who were looking for feedback from their peers to refine their plans for programs they were about to launch or expand.
To me, the ease with which the conversation flowed at this year's Fishbowl was a reflection of the maturity the Identity Community has attained around identity matters in Africa.
What follows are the principal takeaways that emerged from the Fishbowl Session
EFFECTIVE STRATEGIES FOR SERVICE DELIVERY
From the get-go, the audience was looking for effective strategies for identity linked service delivery. The case of the State of AndraPradesh (AP) in India was immediately cited as one rich with valuable lessons learned in that regard. Over the last few years, AP had succeeded in linking a broad array of services to a unique ID (Aadhaar) to the satisfaction and high participation of the population. So, what was the key to that success? Luckily, researchers (from the Center for Global Development) with firsthand knowledge of this experience were present in the audience and could inform the discussion. They revealed that key to the AP success was the fact that their service delivery strategy was anchored on four principles:
Total inclusion: Making services accessible to everyone.
Backup: Ensuring that every service can be used universally, with alternative plans put in place in case of failure.
Portability: Allowing people to choose their service provider.
Voice: Listening to the feedback of users and civil society in order to rectify problems and improve service delivery in real time.
A consensus quickly developed around the importance of building mechanisms to allow users to evaluate and transparently report on the quality of service being received. The idea being that such feedback should be monitored and used by the provider to continually improve service delivery, which is precisely what the authorities at AP are doing.
THE CITIZEN AS THE CUSTOMER
While the experience of Andra-Pradesh serves as a useful example to emulate, in hindsight there are really no surprises here. Those experienced in service delivery of any kind — not just identity linked — would testify that success requires building highly available services, that offer choice and where customer feedback is used to continually improve performance. But something new transpired in that Fishbowl dialogue, and it had to do with the way in which the identity authorities were viewing their roles. A clear shift became visible over prior years; the authorities are beginning to view citizens as customers, and they are now cognizant that their success will be measured through the metric of customer satisfaction.
In that context, the question shifted from building highly available services, to that of enticing customers to participate through a convenient and compelling value proposition. But here then emerged a Catch-22. In order to build services linked to identity, there must first be an identity scheme in place that covers a substantial portion of the population. The question then turned to what comes first: services to incentivize people to register? Or identity schemes to promote service development?
This is the beginning of the evolution of identity authorities into service enablers, and that realization was palpable in the discussion that ensued.
The audience agreed that motivating citizens to register when there are no ready services, was a massive challenge. Some countries, in the hope of bootstrapping, opted to pass laws making ID registration mandatory. This is the case of Nigeria for example. But even then, there is a shift in the way identity is being talked about in campaigns in order to mobilize the population. Instead of allowing the public to view it purely as a requirement of the law, they are being reminded – through the public service providers such as those issuing passports, driver’s licenses, etc – that their national identity number (NIN) can put many needed services at their fingertips. The lesson learned was that even for foundational identity schemes, such as those offered by NIMC in Nigeria, the government needs to ensure that high-value functional services using foundational identity are ready, in order to offer incentives for enrollment.
This is especially evident in cases where foundational identity registers are established through mass registration campaigns. These are notorious for the stress they tend to cause the population, with people often queueing up for long hours without being registered because of various technical and operational failures, or because of bad capacity planning.
IN A NUTSHELL, GOVERNMENTS MUST ENSURE THAT CRITICAL SERVICES ARE READY BEFORE LAUNCHING MASS REGISTRATION CAMPAIGNS, OR THEY’LL RISK LOSING PUBLIC GOODWILL.
Luckily there are many services in current society that are highly valued by the citizens or organizations (such as political parties) that rely on them, and should be given priority in their development. These include:
If these functions are linked to a foundational identity system, they provide a great opportunity to motivate the population to enroll. But here there are two points to keep in mind:
Data delineation: There needs to be clarity as to what identifying data is collected, stocked in the foundational and the functional systems, how the link between them is established, and how the data is updated. This can be non-trivial and often a contentious task, especially in political contexts.
Avoiding exclusion: In linking functions as fundamental as voting, health or financial inclusion to a foundational scheme, the government must provide on-the-spot mechanisms to enroll those seeking service but are not already enrolled in the foundational identity system. Redirecting service seekers to offsite enrollment bureaus risks disenfranchising people. The process must be frictionless and capable of automatically enrolling individuals seeking a functional service, into the foundational scheme, without causing hassle or added costs.
Even when services have high value and are desirable, there remains a very significant barrier that governments must overcome, and that is earning the trust of the users. The problem of trust is more acute for identity schemes because these schemes consume and generate very sensitive personal data, which creates several risks, identified in the discussion:
Data aggregation: The sum is more significant than the parts. Unique identity numbers allow for data aggregation where the actions of an individual can be consolidated to extract an invasive personal profile. It is therefore easy to understand the fear people may have about the potential abuse of data exhausts in audit trails, particularly data that is not generated through controlled enrollment (where consent can be collected) but through identity-enabled use. The concern has become more heightened with the advent of Artificial Intelligence and Data Mining tools that are able to extract predictive insights. Taken to an extreme, this fear could result in a chilling effect, that inhibits people’s routine actions – an outcome that the Assembly agreed must not be allowed to happen.
Sale of Data: Governments, lacking proper budgets, have been known to sell data to information-hungry private sector companies that see in such data, goldmines for targeting customers. Several examples were cited during the session, and just a few days after the Fishbowl, news emerged that the Ghana Electoral Commission had sold its identity database to commercial entities in violation of the law.
Security breaches: Hackers target identity repositories, especially valuable digital identity credentials as they are perceived to hold the key to a world of service. Securing identity data against breaches has proven to be a significant challenge to the IT community, and a source of legitimate concern to ordinary people wondering if their personal information could ever be protected from identity fraudsters seeking to do them harm.
The audience agreed that the level of risk varied depending on the architecture of the overall system, and more specifically on how identity data is stored, and how authentication is performed. In that regard the following points were raised:
Centralized databases create the highest risk especially if they are accessible online remotely (used to perform online authentication directly). Their risks can be internal (malfeasance, government abuse), as well as external (hacking). These databases create temptations and easy opportunities for invading privacy and threatening free will. How to secure centralized databases was identified as a high priority activity for the identity community.
Tokens or limited credentials derived from a centralized identity database, were identified as promising constructs that could be used to shield the master database against identified risks, while simultaneously allowing access to service. The subject is still in development and merits deeper exploration.
Traditional secure identity cards were identified as highly desirable for privacy reasons when used for authentication. These allow secure transactions to be performed offline without ever requiring the data to be transmitted from the point of service to a centralized location. These cards can be chip-based or chip-less secured through printing technology and holograms, as long as they are bound to an identity (example, through a unique QR code linked to a biometric). Authentication can be via a device at the point of service or can be performed by a human agent. One problem identified with offline traditional credentials arises from the fact that the user cannot control what data is shared at the time of authentication, since the data stored on the offline credential is not dynamic. It is encoded at the time of issuance and, in order to improve versatility, may contain information that goes beyond the bare minimum necessary for any specific service. For example, to buy alcohol it is only necessary to conduct an age verification and not know the birthday of the individual or where he or she was born.
Mobile credentials that are stored on the secure element of mobile phones could offer a higher privacy protecting solution as long as the user is assured that neither the identity credentials nor the transaction data are transmitted to a central repository. These tokens can allow the user to control what information is accessible by any given application (e.g., age verification instead of sharing full date of birth).
BUILDING TRUST AND REINFORCING CONFIDENCE
The motivation, opportunity, and the means to abuse identity databases are clear and present. They represent the highest barrier that must be overcome before identity schemes are accepted by the population, even if their value proposition for service delivery is clearly established. The audience engaged in a heated debate about effective mechanisms to build trust in these systems. Among the issues discussed were:
National commitment to data protection and privacy: no identity scheme should operate in the absence of laws that protect people’s fundamental right to privacy. This was a watershed moment in an Annual Meeting that welcomed a significant number of data protection authorities (DPAs) as stakeholders into the identity community, and where attention to data protection and privacy was of utmost priority. The subject was addressed in several activities including the Round Table of African Data Protection Authorities (RADPA) that took place on the first day of the Annual Meeting, in the Spotlight Panel on Privacy and Data Protection on day two, and in the plenary panel on Appropriate Uses of Identity, which preceded the Fishbowl on day 3.
Legal empowerment: The population needs to understand the law in order to understand their rights and the recourse available to them in case they feel they have been harmed. This was identified as one of the important roles that civil society could play, who by accompanying and empowering people to know and demand their rights, can help reinforce confidence in these systems.
Privacy by Design (PbD): It is important to build PbD so that even when governments go bad, their ability to exploit the data is limited. The use of offline smart credentials that can enable anonymous transactions without generating audit trail data is an example of PbD. The audience felt a need for continued R&D and for the establishment of standards around this topic to guide national efforts to build responsible ID schemes beyond just deploying offline credentials.
Transparency: It is important that the government engage with the public directly and partner with civil society to explain what purposes data will be collected for, how the collection will benefit the people, and how data will be treated and stored and for what lengths of time. These are the ingredients of responsible data protection frameworks that are now common throughout the world, and Africa should be no exception.
Extensive scope of protection: The question of data protection and privacy needs to cover not just identity authorities and government agencies, but must be comprehensive to include the private sector, NGOs and development agencies, that are collecting data about individuals.
Limiting national security exceptions: A major concern that was also raised is the access to identification databases by national security organizations, which often seek to be exempt from data protection regulations in the name of national security interests. This is a problem not limited to Africa, as exceptions made for national security in the use of identity systems exist worldwide. It is not clear how to address this issue in a nonspecific threat context, but what was clear from the discussion is the need for proportionality in justifying irregular access and a balance with human rights to restrict the actions of such agencies to within acceptable limits.
TRUST BUT VERIFY
It is clear that achieving trust is not the result of a single action (even though it can be lost through a single bad action). Like any relationship, it requires ongoing commitment and consistent focus on fostering confidence. For that, the audience felt there was a need to build mechanisms that allow individuals to verify that government practices continue to merit their trust. Among the ideas raised:
Accountability: Government agencies that hold data must respond in a timely manner to citizens inquiring about what data is being stored about them and about who accessed that data over a certain period of time.
Push Notifications: More importantly, push notifications emerged as a more effective means for building trust as it does not put the burden for action on the individual. If a data record about an individual is accessed, the individual needs to be notified - through a communication channel of choice, e.g. email, text, etc., about that access and its purpose. For example, in Estonia, a doctor can access the digital medical file of a patient coming for a consultation. This is considered acceptable access. But if the file is opened again after 10 days of the encounter, the patient would be automatically informed, and the doctor is obligated to answer questions the patient may ask regarding this access.
Audits: All identity systems — and their operators, government agencies and suppliers — should be accessible for legitimate, independent and periodical third-party audits, plus reporting to DPAs, in order to verify they comply with data protection and other laws.
Enforcement: The question of audits raised also the issue of enforcement. The DPAs should be empowered to enforce the law through penalties and legal action. This implies that the DPAs need to have the capacity to act in this regard.
There was a consensus that verification can be beneficial for all as it helps the individual trust the system, allows the identity authority to maintain transparency (thereby earning goodwill), and enables the DPA to maintain a well-functioning data ecosystem that can contribute to, rather than impede, development.
The issue of capacity-building emerged as the top preoccupation of many government agencies in Africa. It is not enough to import technology, solutions or platforms. Africa needs to have resources to use, customize, and further develop these platforms. For example, before open-source software becomes an interesting option for Africa, investments in capacity-building across the continent must be made to raise the available supply of talent capable of dealing with such complex systems.
In a way, the problem of vendor or technology lock-in, which was identified last year as a major obstacle, is intimately related to lack of capacity. To address this problem, it is desirable to launch programs that can provide initial as well as continuous training and certification to ensure a consistent level of talent. This requires enhanced cooperation with donors and development agencies.
Some of the agencies present provided corroboration by testifying about the brain drain taking place especially in the ICT departments, where international employers and the private sector continue to lure talent away with better pay and benefits.
While borders continue to exist in Africa, business growth is demanding borderless markets, which creates expectations for what identity systems will be needed. These systems clearly have to inter-operate within regions and hence allow for authentication outside the country or origin.
Standards for trust within a region need to be developed so that levels of trust can be comparable across countries. A good example to explore is the “Pan-Canadian Trust Framework” for ID which represents an important milestone for the Canadian digital identity ecosystem. Another is the European eIDAS Regulation. Both represent the anchor stones in attempts to build economic zones based on robust identity and trust standards. It was disclosed that the UN Economic Commission for Africa (ECA) is working on a Pan-African trust framework that will be presented in 2020 to the African Union (AU) in support of the milestone African Continental Free Trade Agreement (AfCFTA), (which was signed on 7 July, 2019 — just a few weeks later after the Fishbowl, and which is expected to create the world’s largest free trade area). The ECA expressed interest in collaborating with the ID4Africa Identity Council to validate the framework and refine it prior to presenting it for adoption to the AU. While this is a very important political milestone, the issue of regional integration and harmonization of identity will continue to be a challenge as it raises a myriad of operational matters that must be addressed before a truly interoperable ecosystem emerges, as we have seen in practice in Europe. ID4AFRICA is committed to supporting this effort and will dedicate a session on trust frameworks and interoperable identity at the 2020 Annual Meeting in Marrakesh, Morocco. Such trust frameworks would ideally address cross-border privacy and data protection even when the legal standards for data protection are not yet harmonized.