The Fundamentals of Tech Transformation: Identity in a Digital Age

Technology Policy Tech for Development

The Fundamentals of Tech Transformation: Identity in a Digital Age

Paper
Posted on: 18th May 2021
By Multiple Authors
Blaise Bayuo
Policy Lead, Tech for Development Unit
Sophie Tholstrup
Head of Tech for Development Policy Unit

    The tech revolution is transforming economies and societies as well as individual access to work, education and information. Who it benefits and whether it levels the playing field or deepens the digital divide will depend on the fundamental building blocks that countries put in place. Following our report, The Progressive Case for Universal Internet Access: How to Close the Digital Divide by 2030, we set out other key prerequisites for a tech transformation that works for all. This paper focuses on digital identity – why it’s important, what it enables and primary considerations for policymakers.

    Introduction

    Introduction

    More than 1 billion people around the globe have no legal form of identity and, of those who do, 3.4 billion are unable to use these credentials online. As more governments and commercial actors digitalise, the ability of individuals to prove their identities over digital channels is an increasingly important determinant of access to services and social assistance, civic engagement and financial inclusion.

    As we’ve engaged with leaders around the globe in their response to the Covid-19 pandemic, we’ve seen how all roads, relating to health data management, access to health services and health passes, lead to the same fundamental challenge of digital IDs. Swift and coordinated action is needed by governments, private sector and civil society if we are to build, enable, and govern safe, reliable and interoperable digital ID ecosystems that harness the huge potential for stimulating economic growth and improving lives yet still carefully manage the associated risks. Based on a dynamic field of research and practice, we identify five core recommendations for policymakers seeking to build digital ID systems that are inclusive and effective.

    The Case for Digital ID

    Digital ID enables the individual to access a growing range of services, social assistance and civic engagement opportunities. Indeed, the ability to identify and reach the poorest citizens of a country is a key measure of efficient social protection. The Brookings Institution estimates that if universal digital ID was achieved, “extreme poverty could be erased at a global cost of around $100 billion” through cash transfers. Broadening access to digital ID could also help with progress towards all the UN’s Sustainable Development Goals.

    Digitalisation of basic services is happening across the developing world, with year-on-year growth in internet usage of approximately 20 per cent across Africa. But governments need to ensure that all their citizens – not merely the richest and best connected – can share in the dividends of this transformation. In countries without an existing system of secure digital identities, the closure of bricks-and-mortar offices and the shift online during the Covid-19 pandemic have left many people unable to access public and government services.

    Figure 1: Countries ranked according to the UN's E-Government Development Index

    Source: UN E-Government Development Index 2020

    Digitalising services has significant efficiency benefits for governments and businesses through the streamlining of processes and the reduction of loss from fraud and leakage. Digital ID systems can also help companies reduce operating costs associated with regulatory compliance, widen customer bases, generate new markets and foster a business-friendly environment more broadly. It is estimated that universal digital ID could create economic value equivalent to an average of 6 per cent of GDP in emerging economies by 2030 while saving governments 110 billion hours through streamlined systems, and global institutions up to $1.6 trillion through reduced payroll fraud.     

    During the Covid-19 pandemic, the role of well-functioning digital ID as a critical enabler of health management has been highlighted, with a part to play in everything from necessary public health surveillance and vaccine rollout to helping countries return to normal life as citizens are inoculated.

    Of course, digital IDs can amplify privacy concerns and protection risks, whether in the form of government surveillance, commercial misuse of data or breaches. So, systems must be designed in a way that safeguards users, promotes trust and maximises their value to the people who use them. In Venezuela, digital identities and identification have been used as a tool for social control while in Jamaica, the digital ID system has been criticised by civil society for being divisive and exclusionary. Expanding safe and reliable digital ID means tackling both technological and governance challenges. We need to build systems with an enabling environment in which digital ID technologies can develop in tandem with robust frameworks to govern and regulate them.

    Safe, reliable, inclusive and user-friendly digital ID is a prerequisite for digital transformation that benefits everyone. We agree with the USAID assessment that there may be no single factor that affects a person’s ability to share in development gains as much as having an official identity.

    The State of Play

    The State of Play

    While 161 countries have some form of digital ID, few have yet succeeded in introducing systems at scale. There are lessons, however, in the achievements of nations such as India and Estonia when it comes to implementation, particularly for those countries willing to take bold steps. India’s Aadhaar ID system is used by more than 1.2 billion residents (about a 90 per cent adoption rate). Similarly, Estonia’s e-ID is used by 90 per cent of its residents to access government services online. But efforts in many other countries have stalled either as a result of low uptake or implementation and governance challenges, with Nigeria’s national identity management system, for instance, adopted by just 20 per cent of its population. Intriguingly, middle-income countries such as India and Estonia have attained higher adoption rates than their high-income counterparts.

    Figure 2: Percentage of population without any form of identification

    Source: World Bank ID4D 2018

     

    Figure 3: Percentage of population with Digital ID 

    Source: Various sources & TBI

    Low- and middle-income countries (LMICs) have different challenges to high-income countries (HICs) in building out their digital ID systems. While infrastructure challenges in developing countries typically relate to implementation and adoption, developed countries can experience lock-in effects with existing technologies that then affect the speed and holistic delivery of digital ID systems. The experiences of India and Estonia provide useful pathways for LMICs with nascent technological systems to leapfrog and build cross-sectoral digital IDs.  

    Most countries have multiple digital ID systems in place, which can either be foundational or functional:

    • Foundational systems are intended primarily to provide identity as part of a nation’s digital infrastructure, not to supply a specific service. They are typically owned and operated by government institutions, aim for national coverage of populations and provide credentials that function as an official ID so that citizens can prove who they are. Examples include civil registries, identity cards, passports and birth certificates. The UN estimates that only 3 per cent of LMICs have foundational digital ID schemes that can be used to access different services.
    • Functional systems generate identities to serve and support delivery of a specific service – and may or may not be linked to systems that support other functions. They often aim to cover only a subset of the total population in a country; any given person may have a variety of functional IDs, for example, a driver’s licence, health insurance card or voter registration. The UN estimates that 55 per cent of developing countries have functional digital IDs that can be used for accessing services such as cash transfers, social assistance and health care.

    The existence of multiple systems is not a standalone issue. Yet such systems must be able to interact with one another and to operate under the same governance framework and safeguards. This is not always the case: this report on Kenya’s identity ecosystem, including a map, shows the range of ID systems used there, and the ways in which they can and cannot interact with one another.    

    In several contexts, functional ID systems have evolved to become foundational. Examples include Bangladesh, Haiti and Mexico where the voter ID has become a de facto national ID. Although this can be a good way to build foundational IDs, it also presents dangers. Specifically, if a functional ID is used for a purpose which it has not been developed or regulated for, problems can be created for both users and institutions. Where “scope creep” of a functional ID takes place, this must be intentionally managed and carefully regulated.

    As countries invest in closing the identity gap, they have an opportunity to build ID systems that are interoperable, put people at their centre and leapfrog expensive legacy systems. Doing so calls for the infrastructure – connectivity, digital literacy, access to electricity – to be in place to ensure widespread access and adoption. Systems must be designed with inclusion as a driving principle.

    The Covid-19 Effect

    The Covid-19 pandemic has highlighted the central importance of universal and reliable digital ID to vaccination registries, the issuing of health passes, and the easing of friction between testing and verification regimes across nations. Countries with the best health data will be the first to open but good health data rests on a reliable ID system. Covid-19 has underscored the lack of reliable IDs yet at the same time created an opportunity for countries to build new and globally interoperable systems to ease testing, vaccination and travel regimes.

    In many countries, weak or patchy health records have hampered efforts to trace cases of the virus and target state-level responses. Vaccine rollouts need to be informed by easily accessible patient records, which enable countries to target the most vulnerable and those with comorbidities, as well as to keep a reliable record of citizens who have received their inoculations. As vaccinations are rolled out and many countries consider national and international health passes, a reliable digital ID system is a prerequisite for tracking and verifying the health status of individuals.

    The pandemic has triggered a massive expansion in social protection across the globe, with 190 countries introducing related measures in response to Covid-19. Countries can only identify and reach their most vulnerable citizens when reliable digital ID systems exist, and patchy coverage has meant that eight out of ten countries did not succeed in reaching even half their populations with support.

    As well as strengthening the case for digital IDs, the pandemic has created an opportunity for countries to build and develop their associated systems. Governments across the world have issued special ID systems to track testing and vaccination, legislating to allow health solution providers to enable them in the short term. These interim solutions, if designed right, could be integrated into and pave the way for a more comprehensive ID system. As above, any “scope creep” from functional to foundational must be intentionally managed and embedded within a comprehensive governance framework.

    Managing the Risks

    Extending digital ID systems is not without risk. As more of our lives move online, more of our activities and interactions generate data that can be stored and analysed. This can be beneficial, for example when used to develop and improve user-centric public services, but there are also risks to privacy if not properly managed. As we have noted previously at the Institute, privacy protects our physical safety, limits government power and, crucially, maintains trust.

    New technologies make it possible to better secure personal data against unauthorised access and to avoid accumulating large quantities of data in single points of vulnerability. But bad actors are a fact of life; data and systems operating at population scale will always be attractive targets, and must be designed and protected accordingly. If not properly handled, there is a real risk of public resistance, as seen recently in Kenya and India.

    Digital ID systems may reinforce existing political dynamics too. “Digital ID systems will only make governments more efficient at what they are already doing. If a government is currently using its identity systems to discriminate against minorities and exclude them from power, then they will only become more efficient at that.”

    The risk of exclusion – whether through lack of foundational infrastructure or by design – is central. Policymakers must ensure they build systems with inclusion at their heart, maximising user control and safeguarding people and their data.

    Some of these risks can be addressed through careful design, and others require robust governance structures that protect users and their data. Digital ID presents both technological and governance challenges that must be carefully managed.

    Recommendations for Policymakers

    Recommendations for Policymakers

    The case for digital ID as a key enabler of sustainable development has been convincingly made, and there is a dynamic field of research that covers the opportunities, case studies and potential harms of rolling out universal digital ID. But what are the essential things policymakers need to consider?

    Design With – and for – Users

    The value of an ID system to its users will determine its adoption rate, and this rate – in turn – determines its value. Digital IDs must be fit for purpose, inclusive, useful, secure, portable and offer choice over when and how data is used. Systems must save people time, be easy to understand and enable access to a range of services. It must also be made clear what services digital ID does not provide, and what the limits of any system are. Consulting users as systems are developed and establishing robust feedback loops to understand and address problems as they emerge, are key. Governments should expand dialogue with both private-sector actors – to ensure they are incorporating the best tools and technology – and with civil society to ensure that user rights are considered and safeguarded at every stage of the process.

    Current ID systems often exclude marginalised populations, in particular women, refugees and migrants. In emerging economies, 45 per cent of women lack identification compared with 30 per cent of men. Barriers to inclusion can be both technical and political. To ensure technical inclusion, developers should consider how systems will work for all types of user, including those in low-infrastructure settings and from marginalised groups. Minimising barriers to uptake and designing with the marginalised in mind can help level the playing field while expanding access to services and opportunities for civic participation to all.

    Increased connectivity and easier access to mobile technology means it is emerging as the preeminent identity technology across much of the developing world. But ID systems that rely on device ownership may exclude those in lower connectivity areas, as well as less digitally literate people. With 50 per cent of the world still offline, options for those without the necessary connectivity must continue to exist.

    Build With Privacy as a Defining Principle

    Users must believe that their data is secure and protected from unauthorised access by both governments and companies. Individuals can be slow to trust new systems because of concerns around the large-scale capture of personal data, security and surveillance. Building citizen trust around secure usage will be key to creating effective ID systems with broad uptake. Users must be able to say: “I trust the government, the government trusts me as much as it needs to for this transaction, and we both trust the system we’re using to establish and regularly reconfirm that trust.”

    Systems should be designed with privacy at their heart, giving individuals agency over their own data and how it is used. Users should be able to control and permit access by third parties for verification purposes. This should be secured through robust regulation, requiring third parties to inform users of the type of data collected, and how it will be used and stored before a digital transaction is approved. Offline verification mechanisms will further secure digital identities, allowing users to authorise their identities offline and maintain control over access to their offline storage devices. Users’ views and preferences on the balance between privacy and convenience should be taken seriously in the design process.

    Uses of digital ID should involve access only to the data necessary for a given transaction. For instance, verifying the Covid-19 vaccination status of a person should only produce a “Yes” or “No” result without revealing any further private data. Stricter access controls and user permissions in digital ID systems are also essential.

    A digital ID that is linked to other national data sets and registries should define the interoperable rules and governance structures for each sub-dataset. A layered ID system may offer stricter privacy design parameters for digital IDs. So, a transaction request to authenticate a user’s nationality may require verification at the birth registry while a transaction request for an individual’s vaccination records may require a second-level check with the digital health registry. The sensitive nature of the data requested determines the verification requirements that have been implemented. Each layer will require much stricter permissions before access is granted. This also reduces the possibilities of single-point hacks, and the different layers can serve as checks in the technical implementation of the digital ID system.

    Govern With Clarity and Accountability

    Digital ID is developing faster than the regulatory frameworks protecting users. This imbalance must be addressed. Safe and effective digital ID must be supported by robust governance and regulatory systems that both safeguard and empower users. Regulation should prioritise inclusion, ensure data privacy and clarify usage rights while clearly setting out who is accountable and how issues will be addressed. Policies should plan for system failure and governments should be transparent when this happens.

    While some standards around digital IDs are emerging, there are few national frameworks to effectively govern them – and insufficient multilateral cooperation. Several alliances have proposed “good ID principles”. Some governments and regional bodies are taking steps to better regulate digital ID and data privacy, including Kenya with its new data protection law, which was informed by the country’s Supreme Court ruling on digital ID calling for amendments to the proposed system in relation to biometric identification and inclusion guarantees. Governments should collaborate with international bodies and alliances and engage private-sector actors and civil society throughout governance deliberations. Regulation should not only safeguard users from exploitation from third parties but should consider limitations to the personal data of citizens that governments store, share and use.

    Enable a Flourishing Tech Ecosystem

    Where multiple systems are in operation, these should function as a “trust framework” of interoperable systems, technologies and stakeholders, based on an authoritative and foundational ID. At a minimum, all ID systems should be interoperable at the country level. To maximise benefits, though, ID systems should be interoperable at the regional and global levels too (see below).

    Domestically, this includes the ability of different databases or registries (for example, national ID and civil registration systems) to communicate with each other, exchange data, and facilitate identity queries in a timely and low-cost manner (via open application programming interfaces or APIs), subject to appropriate privacy and security safeguards.

    Foundational digital ID should be built to encourage and enable an ecosystem for digital innovation. Technology infrastructure APIs that provide single-point access to all functional and foundational digital IDs will enable start-ups to build solutions that are accessible to everybody. IndiaStack has built a composite technical structure that connects all digital ID systems into a single platform, providing a comprehensive verification and authentication process in India. The platform works with Aadhaar, the national foundational digital ID. Today, almost 1.2 billion people have access to digital services through IndiaStack, with the platform also providing central infrastructure for digital innovation. Babajob, a digital Indian marketplace connecting employers and job seekers, uses IndiaStack to verify user profiles and display a “verified by Aadhaar” badge to boost trust and confidence in recruiters.

    Plan for Global Use

    As the pandemic has highlighted the need for internationally recognised health passes and as movement across borders continues to increase, the value of a digital ID system that is recognised globally and based on common standards is clear. Interoperability across borders can increase trade, and enable safe and orderly migration. This means policymakers should:

    • Commit to common standards: In order for ID systems to work across borders, they need to be based on common standards. They include technology standards that govern the software and hardware components of the ID system and which enable machine-to-machine communication for interoperability, as well as data standards that govern the format for structuring the data collected by the ID system. As Covid-19 spurs the conversation around global health passes, the World Health Organisation, Vaccination Credential Initiative and Good Health Pass Collaborative are all working to develop principles and guidelines to set the terms for an internationally recognised system of these passes. ID systems that meet these standards and can work across borders will enable countries to support frictionless travel.
    • Commit to common infrastructure: Rolling out models of digital ID across multiple countries can reduce implementation costs and promote regional integration. Options to support common infrastructure include platforms such as MOSIP, which freely provides the open source software upon which governments can build foundational digital ID systems to a common standard. Along with strong procurement practices, the adoption of international standards can drive down costs and minimise unnecessary constraints in the choice of technology or supplier, ensuring the system can adapt and take advantage of new solutions.
    • Build global coalitions to accelerate progress: Cooperation across borders at every stage of the process can accelerate systems development, strengthen regulation, ensure interoperability and improve user experience. Alliances such as ID2020 are seeking to build international coalitions of governments, private-sector actors and civil society around safe and effective digital IDs while the World Bank and Good ID have developed common principles. Regional efforts to set common standards around digital identity are under way in the EU. Within the African Continental Free Trade Area, meanwhile, transnational IDs will reduce trade barriers by easing access to services across the continent. A common database could be maintained by a consortium of governments and private sector to aggregate digital identities from member countries in a transregional digital ID system. For them to be broadly trusted and recognised by citizens, we need sustained and transparent collaboration aligned around shared principles, technical design patterns, interoperability standards along with supporting regulatory and policy frameworks.

     

    Conclusion

    The case for universal digital ID as a key enabler of development had been convincingly made pre-Covid. Since then, the pandemic has both shown the urgency for and created potential routes to building reliable systems. As countries seek to strengthen health infrastructure and data systems, effective and safe digital ID should be a central priority. This is a dynamic field of research and practice with clear paths for policymakers to follow. At the heart of efforts to extend digital ID to all citizens, however, we need to see user-centred design, strong governance frameworks based on emerging principles, and regional and global cooperation that takes the best from existing systems and promotes international interoperability. Identity is a human right. In the modern world, that identity should be digital.

    Hiroshi Watanabe/Getty Images

    Find out more
    institute.global