Do you trust the government with your personal information?
That question is at the heart of many of the privacy debates that are currently playing out as more countries move forward with plans for digital IDs. Many of those IDs will be backed up with biometrics, and the answer will often differ depending on your location. The Russian government, for instance, recently drew international criticism for an edict that will force some of the country’s banks to hand over all of the biometric data in their possession.
For critics, the Russian government’s decision invokes fears of a totalitarian state, in which the government uses biometric data to monitor and police an entire population. However, the notion that a government – any government – would want to have access to the biometric data of its citizens is not inherently dystopian. In fact, biometric data collection is already a routine aspect of life in most countries. In many places, the photos used on passports and driver’s licenses are technically stored in a biometric database, and face matching is at the foundation of the identity verification process everywhere from the liquor store to the movie theater.
The truth is that biometrics can secure and simplify many of the interactions that people need to perform on a day-to-day basis. In that regard, governments are interested in biometrics for many of the same reasons as the private sector. The technology enables a higher level of customer service, and eliminates the need for riskier identity credentials like passwords, which are both more difficult to use and easier to steal.
The catch is that biometric identifiers only function in that manner if people are able to trust the system. That’s especially true when dealing with the government, which passes the laws and sets the guidelines for the use of any technology. A private business that misuses biometric data is theoretically accountable to the courts. There is no such recourse if the government itself is trying to leverage biometric data for malicious ends.
With that in mind, it’s worth examining some recent cases to gain a better sense of the stakes when dealing with biometric technology. What are the potential advantages of government civil ID programs, and what are the pitfalls that governments will need to avoid to build trust and ensure that biometric technology is being used for the greater good?
The Case for Civil IDs
It’s not too difficult to understand why so many governments are so keen on digital IDs. The technology erases the printing costs associated with physical documents, and digital IDs can be more seamlessly integrated with the rest of the modern digital ecosystem.
Biometric technology helps link a digital identity document to the person it depicts. Many smartphones now come with fingerprint or facial recognition sensors, so people can complete a quick scan on their mobile device to prove their identity in an online interaction from anywhere in the world. In doing so, digital IDs bring identity workflows to the devices that people are already using in their day-to-day lives.
From the government’s perspective, that makes it much easier to administer a wide range of programs while simultaneously mitigating the threat of fraud. Forged documents are still a problem in many parts of the world, and fraudsters frequently target social welfare programs (such as unemployment programs during the COVID-19 pandemic). Those without the proper training will often fail to spot high-quality fakes, even when holding a forgery in their hands.
On the other hand, digital documents can be encrypted with unique details that cannot be duplicated. That information can then be verified with a standard scan, or when that digital ID is shared with another device. If the government is the issuing body, it can be quite confident that the person submitting the document is in fact the person they claim to be. That means that they can move forward with confidence and ensure that more social assistance resources (from housing to food to healthcare) go to the intended recipients instead of fraudsters.
While the case for digital IDs is well-established, the argument is based on a best-case scenario. It assumes that the digital ID system is secure enough to keep out hackers, and it assumes that governments have the best interests of their citizens at heart.
Neither can be taken as a given in the current geopolitical environment. To bring the conversation back to Russia, critics are worried that the government will use biometric data to target citizens who oppose the current regime. There are also questions about security. A massive surveillance system in Moscow has already come under fire for a pay-to-play scheme that gave private citizens the ability to stalk anyone captured on a city security camera.
Both practices would give Russian citizens good reason not to trust their government. The fact that the government is forcing the issue only reinforces those concerns, insofar as Russia is actively leveraging its political power to obtain information that would not have been given freely. People were willing to give biometric information to their bank because they trusted the bank to protect that data, and Russia is now manipulating that trust for its own ends.
Having said that, Russia is not the only country struggling with its biometric practices. For example, India’s Aadhaar identification system has been breached in the past, and the press bureau recently retracted a security warning that advised citizens not to share photocopies of their Aadhaar cards. The government did not indicate whether or not the events that led to that warning have been resolved, and seemingly issued the statement only because it wanted to end the viral panic that the vague announcement triggered on social media.
In its retraction, India noted that Aadhaar numbers are linked to biometrics, which prevents fraudsters from committing identity fraud even if they do get their hands on real Aadhaar data. If true, that is testament to the utility of digital IDs, to the extent that it demonstrates that biometrics are indeed a viable security measure.
The problem is that India’s prior security problems give people reason to doubt those claims, which again raises issues of trust. The government has also used facial recognition to arrest thousands of protestors. At the end of the day, none of the civil identity systems that have been deployed have functioned perfectly, and the sensitive nature of the information makes the potential consequences more catastrophic if something goes astray.
In the West, the trust question is being reflected in the debates surrounding digital IDs. State and federal governments from Ontario to Australia are trying to replace physical documents like driver’s licenses with digital equivalents, in each case promising that the digital versions will be more cost effective and more user-friendly.
Those potential benefits are very real, and can make government resources more accessible to millions of regular civilians. Most of those schemes have nevertheless faced some kind of political opposition from critics who argue that digital IDs will become a tool of social control. Those factions will often invoke the specter of China, suggesting that digital IDs will be linked to a social scoring system and that those with better scores (which is to say, those who obey official doctrine) will be given preferential treatment in their interactions with the state.
That kind of fearmongering often exaggerates the immediate scope of the threat, though there is a grain of truth in the critique. It is easier to track someone’s physical movements and monitor all of their online activity when identity procedures are consolidated through one centralized and automated system. If that identity data is paired with face biometrics, a large enough surveillance network could locate a citizen almost anywhere in the country.
At the end of the day, digital IDs seem like a good idea if you trust that your government will respect your basic privacy. They seem like a much riskier idea if your government has a history of breaking promises to its constituents.
The Way Forward
With all of that in mind, what can governments do to build trust for digital ID programs with their citizens?
At the most basic level, governments need to invest in good cybersecurity to make sure their identity databases are secure before they start rolling those systems out for the general public. That may sound obvious, but many countries have started collecting biometric data without taking the steps needed to keep that information secure. Even in China, criminals were able to use real facial images purchased on the black market to defraud the taxation system to the tune of 500 million yuan. The availability of those images and their effectiveness as spoofs demonstrates that China’s system had some glaring security flaws when it was introduced.
A good national ID system needs to guarantee that unauthorized individuals cannot gain access to the public’s identity data. If the country can fulfill that base-level security requirement, it then needs to put guidelines in place to prevent those who do have access to the data from using it inappropriately.
Those guidelines can take many different forms, from laws that codify people’s right to privacy to regulatory agencies that are qualified to rule on security best practices. Those guidelines allow the government to be more transparent with the public, to the extent that they should clarify exactly what information is collected, and what it will be used for when administering a national ID scheme.
The stricter and more detailed those policies are, the easier it will be to garner trust with a skeptical public. That trust increases if people believe that those policies are being followed in good faith.
That’s ultimately the best any government can do. In truth, the public will never know with 100 percent certainty that the organizations that have their personal information are being responsible with that data. That remains true whether the organization is a government or a private entity, because there is a degree of trust in every relationship.
June 8, 2022 – by Eric Weiss