This is episode two of the series “The ID Question,” from How We Get To Next.
Read episode one, on India’s Aadhaar, the world’s largest, most ambitious digital identity scheme, here.
When Anantha Subramanian got a new email address in 2004, he soon found himself living other people’s lives. “I started getting all kinds of emails, including sensitive material, meant for other people with the name Anantha,” says Subramanian, an IT engineer who lives in Chennai, India. “One Anantha Laxmi Talluri, a real person, decides to get a bank account and uses my email ID as hers. I start getting her bank statements. The same with telecom companies: I get emails for six or seven numbers, even though I have one number.”
A week before we spoke, he’d received an email about someone’s insurance claim: details of the incident, phone numbers, an address. No one is verifying these email IDs, which mystifies him. As an IT engineer, he’s especially concerned with how data is collected—and how it’s maintained—both by private companies and the government. “The system,” he says, “is flawed.”
Despite his worries about digital security, Subramanian hasn’t left the web: He has Facebook and Twitter accounts, he makes purchases online, and he uses search engines even though he knows they track his proclivities. But he’s very concerned about digital privacy. He uses an ad blocker, and browses the web incognito. “It may seem like I wear a tinfoil hat, but I take a few precautions on what I post and upload,” he says. “It might be misguided. But I have a sense of control.”
Few of the websites we give our information to are truly secure; as long as you use Google or Facebook, there’s a limit to how much of your data you will ever be able to control. But a Facebook profile isn’t mandatory for modern life. What about digital systems that are? As governments around the world build biometric databases and online ID systems, they are creating networks that we can’t opt out of.
We’ve already explored some of the gaps in India’s Aadhaar system, and the damage done when people—especially young children—are unable to get a digital ID. Assuming you can get an ID, there are a whole host of other privacy and security issues to contend with. Subramanian is part of a Facebook group where people share stories about Aadhaar data being leaked or misused. “One member posted that he’d received an email from a bank official in India, which had details of all the bank accounts in that branch, with Aadhaar numbers attached,” he says.
For all his research, Subramanian does not know where his information goes, who owns it, and which third parties have access to it. This uncertainty defines all of our digital lives: our financial records, job applications, medical information, and, above all, government ID. Can we truly trust that our most sensitive information is secure?
On the web, we’re building systems based on relationships that help us figure out who we can trust. Those often begin with an email address, even though—as Anantha Subramanian found out—few companies take the trouble of verifying that email ID.
Governments, on the other hand, have long been in the business of verifying identity. When they issue a passport or a driver’s license, they have processes in place to make sure it’s really your photo and address under the lamination. No form of identity is wholly immune to fraud, but government IDs carry more trust than most.
But will this hold as governments extend their digital reach? Gemalto, a multinational firm which sells digital ID systems, predicts that 3.6 billion people around the world will carry some form of national electronic ID card by 2021. Some countries are using biometrics in their national identity frameworks, from small ones like Nepal to large, populous ones like Mexico.
The Chinese government is planning to take digital identity to a Black Mirror extreme: the Social Credit System will rate the trustworthiness of its 1.3 billion citizens on the basis of daily online activities, social media posts, and tax payments. An individual’s rating could be compared to those of other citizens to determine who gets a loan or a job. The emergence of these electronic IDs reflects a concerted move towards digital government which, designed and implemented correctly, has the potential to change lives on a scale that analog identity systems never could.
The Indian national biometric ID card, Aadhaar, has kicked up a storm of concerns since its inception, from inclusion to transparency to privacy to the security of personal data. The government has decided to link Aadhaar to mobile phone numbers, bank accounts, land registrations, car purchases, and, as we saw in the last episode, school admissions: the card could soon be a part of every aspect of private and public life.
“When they set up Aadhaar…the purpose was identification only, and it was voluntary,” says Subramanian, the eternal digital privacy worrier. “But slowly, slowly, slowly—look at the scope of it, it’s endless.” Indian privacy advocates have taken the government to court, challenging the reach of the Aadhaar scheme. Aadhaar has become linked to countless aspects of a person’s life, a key that could conceivably unlock every one of those attributes and build a sort of “profile” of an individual.
Reetika Khera, an economics professor at the Indian Institute of Technology in Delhi, explains the risk of the aggregated profile. “Today, information about my life is stored in different data silos—train travel, air travel, bank account, mobile phone, employment history, health,” she says. “The only person who can easily construct a full picture of my life is me. But if the Aadhaar number is ‘seeded’ into all these databases, it integrates these silos, and I lose control over who reconstructs my profile.”
Aadhaar is sold to the public as part of the “India Stack,” a technology platform that allows integration with both current and future digital services. In theory, it means that any given service will be able to verify someone’s ID just by using the biometric information stored in the Aadhaar database.
The India Stack features “layers” where information like bank details for cashless payments can be stored. To pay for something, you’ll only need to prove your identity with fingerprints or iris scans. In the future, it might be possible to walk straight through an airport’s doors and onto a flight without having to show a passport. But centralizing so much personal data presents a substantial data protection risk; a single data breach could expose everything, and our most private information is on the line.
When you enter your personal information online, it doesn’t go directly to the company running the website. There is almost always a middleman in between: a “Customer Identity and Access Management,” or CIAM, platform. Many companies offer these services, from large players like Microsoft and Salesforce to smaller ones like Janrain and Auth0.
CIAMs were initially developed to allow different people in a organization access to different amounts of data in a safe and secure way. They were never intended to control data collection, but to protect what was already in the system. Different CIAM providers recommend different privacy protocols to protect their clients’ data, but ultimately the decision is up to that client—the company that wants your data.
Oregon-based Janrain follows Privacy by Design, a protocol that minimizes and secures the information collected. “We make sure there’s a reasonable purpose for asking for that data,” says Mayur Upadhyaya, a managing director at Janrain. “For instance, why do you need the location? Is it to offer some targeted content that customers can opt into? Is it for a delivery service? Then great. If it’s arbitrary, then no.” But while Janrain advocates for the Privacy by Design approach, it can never fully enforce it. “We could say, this is our best practice, this is our recommendation. But if a customer did want to collect more data, they could.”
Governments are slowly becoming aware of the vulnerabilities in their digital data collecting. The European Union, which has a history of standing up to multinational companies over the privacy concerns of its citizens, is trying to give back some of what individuals are losing online: control and ownership. The EU’s General Data Protection Regulations (GDPR) takes effect from May 2018. The rules include the right to have your personal information deleted from a company’s database (the right to be forgotten); the right to transfer your data from one company to another (portability); and the right to know when your data has been compromised.
The GDPR requires companies to seek your informed consent, in clear and plain language and at every stage, as they collect and store your data. The regulations also ban data “profiling,” a technique used to analyze or predict a person’s performance at work, economic situation, location, health, or behavior based on the automated processing of personal data. The fines for violating these rules are considerable: smaller offences could result in penalties of up to €10 million ($12.3m) or two percent of a firm’s global turnover, whichever is greater, and more serious infractions carry penalties of up to €20 million ($24.7m) or 4% of global turnover.
In an era of data breaches, hacking, and leaks, the stringency of the EU’s rules should be a comfort to those who will benefit from their protections. But while governments will protect personal data across the commercial web, data collection by governments themselves is another story. The state, which has our most basic data and controls access to essential services, can be even harder to hold to account than commercial tech giants. Companies barter services for our information; states claim the right to diminish our privacy in exchange for things like physical safety and national security.
This is not a theoretical issue. Estonia, often referred to as the most digitally-minded state in the world, had security issues with its ID cards that made identity theft easier, and had to block the affected cards as a result. While there have been so many leaks from corporate services that it’s nearly impossible to keep track, government websites in the UK and the US have had private data leaks in recent years as well.
In India, Aadhaar has been plagued by personal information leaks since its launch. The most recent of over a dozen incidents saw more than 200 government websites publicly host private personal data. Corporations are also finding it hard to secure their data: in July 2017, Reliance Jio, one of India’s biggest telecom companies, leaked the data of 120 million people, the largest hack in the country’s history. You verify your identity with Aadhaar to get a SIM card—so Aadhaar numbers were leaked as well. As the Centre for Internet & Society has found, giving so many different services access to Aadhaar has greatly increased the risk of abuse and future leaks.
What should the objective of a digital identity be? What should it look like? In most users’ ideal scenario, it would be a verified, portable ID that would be controlled entirely by the individual, who can choose to parcel out some parts of their identity and not others. Verification should be robust, leaving no room for doubt as to the authenticity of an individual’s identity—but once verified, a user should be able to carry that identity into commercial platforms with the assurance that it’s just as secure as it would be on a government platform.
Privacy advocates argue that digital identity ought to be sovereign unto itself, unaffected by the circumstances of its use, always fully in control of its owner, and as inalienable a right as any other civic freedom. Individuals should control their digital identities in full, and should be able to choose when to offer or retract it, in whole or in part. These aspects of control and choice are essential, because we cannot know how we will need to deploy our digital identities; we cannot know what the future will hold.