Sri Lanka’s plans to move to a digital ID promises benefits but carries grave risks

The danger lies in the database, not the biometrics

The government has announced plans to introduce a digital ID. People assume this is just a ‘smart’ version of the current card, but it is not. It is a vast identity database, granting wide powers to the commissioner general, his officials and other authorities to collect and record any personal details at their discretion.

The system is modelled on Pakistan’s Computerised National Identity Card (CNIC) system that was introduced to combat terrorism, but has enabled mass surveillance. The Bill was passed in June 2016 and the Regulations gazetted in August 2017.

The issue with this scheme is not in the card or the biometrics, it is in the database – an identity management system with the National Registry of Persons being the core.

  1. The National Registry of Persons (NRP) will have all details of a person and his/her family, far more details than the present ID card. (See box 1 for the list of details). These details must be updated regularly.
  2. Through the ENIC, all data now held in various othergovernment databases could be linked to, or indexed by, the NRP. Effectively an index to all other official and quasi-official records, the NRP would be the key to a total life history of every individual. (see box 2)

The government claims that a lot of citizen’s data is already held by State bodies, so there is no cause for concern. These assurances overlook the fundamental nature of the new database.

Currently, data is held in different public bodies and used for different administrative purposes. E.g.: vehicle details with the RMV, property details with land registry. The data is isolated, not shared.

  1. In isolation, this data is not of much interest. The RMV knows the name of the owner of a car, but they cannot connect this this to anything else. No one department can put a “face” to a name – i.e. have bio data of a person. They do not know any of his/her personal details or of other assets, spouse, family, children, residence, workplace, properties, etc. Similarly, the registrar of companies will have details of the owners/directors of a business, but no other information.
  2. Furthermore, none of this data is given out, except by court order.

Now, these separate databases can be linked together with the ENIC to obtain a full profile/bio data of any citizen and their family. To begin with, the information held in the central registry is alarming (see table 1), and together with linkages to all other government bodies (and potentially private sector data as well), it is a very powerful-and dangerous tool. As a searchable database, it will be possible to achieve the following:

  1. Search for the assessment number of any property or building and discover the names of the owners and tenants. With the name and ENIC of the owner/tenant, it will be possible to link to other databases to get the details of their other properties, vehicles, businesses, family, etc.
  2. Similarly, you can search for a vehicle number or phone number, discover the owner, and then obtain a full profile of them and their family.

The government claims that a lot of citizen’s data is already held by State bodies, so there is no cause for concern. These assurances overlook the fundamental nature of the new database

A name, a phone number, a vehicle number, an address: these are details that people routinely share. Now, any one of these can be used by a person with authority to extract sensitive details about people and their families.

Under the current structure, if there was a need to build a profile of a person, it would necessitate multiple court orders and a lot of time going to departments to gather data. It is a slow process, subject to many checks and balances, and quite rightly so. Apart from the requirement for court orders, internal administrative procedures within each department will need to be followed before any information is released.

Now, details are to be held in a central database that is freely and legally accessible to a wide variety of officials with no necessity of recourse to court orders. Being automated, anyone can easily build a full profile of a person, and it’s not difficult to imagine the extent to which this can be misused.

Such data is very valuable and would carry the following two major risks:

  1. Unauthorised access through hacking. Given the nature of the data held, the database would be a magnet for hackers.
  2. Abuse by interested parties for personal or political gain.

The abovementioned risks are multiplied since the data is widely available – for prevention or detection of a crime or for National Security. No crime needs to be committed. For example:

*Anyone may give false information to the police alleging a potential crime, which warrants access to the database.

* A policeman investigating a routine traffic offence may have access to the database.

While leaking of data is criminalised, there is no procedure for safeguarding data once extracted from the database.

The ENIC number would be the key to a citizen’s whole life. Unlike the current ID, every time it’s used, the ID would need to be read and validated by the system. By making ordinary life dependent on the reliability of a complex administrative system, the scheme makes a myriad of small errors, potentially catastrophic. Mis-identifications, errors or deliberate attacks on this critical piece of national infrastructure can cause failure. A failure in any part of the system at a check might deny a person access to his/her rights, property or public services, with no immediate solution or redress—“license to live” withdrawn.

A citizen could be effectively disenfranchised and “locked out”, preventing access to bank accounts, voting, working and dealing in property, which has already happened in Pakistan.

Thousands of citizens in Pakistan have had their CNIC’s “blocked” on suspicion of being aliens, leaving them unable to purchase a mobile phone connection, obtain connections for utilities such as water/electricity, sell or purchase land, or travel or deal with a bank. Section (9)(2) of the regulations in Sri Lanka provide similar powers to the commissioner general to block an ID under an “exigent condition”.

Proponents of the system argue that the digital ID is harder to forge, but the risk of forgeries (and identity theft) actually increases.

The problem is that the more valuable an identity document, the greater the motive to forge it. The assumption is that the biometric identifiers make it impossible to steal the card and the identity attached with it. What this overlooks is the increased significance of the NIC number in the linked digital system that will be created.

The NRP database provides details of parents, children and their dates of birth: all the details needed to create a false virtual identity. To do serious damage to someone’s identity, it is not necessary to steal the card and try to impersonate them; damage can be done by just stealing the number and other details, because with a new central database, identity will be established electronically, not by physical documents.

In the US, where there is no national ID card, but a national identifying number known as the Social Security Number (SSN), identity theft is the fastest growing crime. Armed with someone’s SSN and their date of birth and maybe their mother’s maiden name, thieves can get credit cards, open bank accounts online, etc.

If someone is a victim of identity theft, the consequences will be far more severe than now because their identity will be connected to that single card/number, and it is impossible to reset. A stolen password can be reset, but it’s impossible to change a fingerprint.

Pakistan has implemented the same system, but rampant identity theft took place, and the state was compelled to do a wholesale reregistration of IDs in 2016.

Biometrics are not fool-proof and not all biometrics will work for all people. Missing fingers, eyes or physical conditions may render one or more biometrics unstable or hard to read. All systems have errors. Deployment on a large scale, with variably trained operators and variably maintained and calibrated equipment, could produce many mismatches, leading to potentially gross inconvenience to thousands.

The ENIC number would be the key to a citizen’s whole life. Unlike the current ID, every time it’s used, the ID would need to be read and validated by the system, making ordinary life dependent on the reliability of a complex administrative system.

The system enables mass surveillance, as has occurred in Pakistan. The Pakistani police have embraced the digital ID and have extended its application to monitor people in the following methods:

  1. Tenant Registration System (TRS)

Any person who takes a home on rent has to register himself/herself at the nearest police station in the TRS. Once registered, the system immediately matches it to the database to check if the tenant’s details including driving license, registered vehicles, mobile SIMS registered and criminal records.

  1. Geo-Fencing

This is the use of GPS or RFID technology to create a virtual geographic boundary, enabling software to trigger a response when a mobile device enters or leaves a particular area. The police get the mobile numbers of people, now readily accessible on the database, and set up the system with assistance from telecom operators.

  1. Hotel Eye

This logs the check-ins and checkouts of guests at hotels, along with CNIC numbers and personal details of visitors. It helps to track activities of hotels and their guests.

With CCTV systems capable of number plate recognition, bus travel passes, and increasing use biometric access systems in private and public workplaces, this type of system could enable a mass system of surveillance, the possibilities of which are not farfetched from experiences in Sri Lanka and elsewhere.

Although securely digitising the existing data, the national identity system has the potential to create some benefits for society. However, these proposals are neither safe nor appropriate, and should not be allowed to proceed without full public consultation and an independent technical review.

 

——————————————————————————————————————————————–

BOX 1

The data in the database: As per Gazette No. 2021/28 – WEDNESDAY, 31 MAY 2017

  1. Name
  2. Place of birth (if foreign born, details captured separately)
  3. Permanent residence
  4. Place of temporary residence
  5. Telephone – residence and mobile
  6. Email
  7. Profession
  8. Civil status (married, widowed, divorced, unmarried)
  9. Details of father: full name, date of birth, NIC no.
  10. Details of mother: full name, date of birth, NIC no.
  11. Details of guardian: full name, date of birth, NIC no.
  12. Details of spouse: full name, date of birth, NIC no.
  13. Details of siblings: full name, date of birth, NIC no and civil status

Changes in civil status (marriage, divorce, widowhood) must be informed within six months –including marriage certificate no., divorce case no. and court, death certificate no. as applicable.

———————————————————————————————————————————————

BOX 2:

Regulation 18 provides that, for the purpose of Section 39A(1) of the Act, “the prescribed authorities” shall be the heads of public institutions. Consequently, the Commissioner General or an authorised officer may, for the purpose of discharging the functions under this Act, require any head of a public institution to furnish, in writing, such prescribed information relating to a person, recorded with such authority . Furthermore, it shall be the duty of the head of the public institution to comply with such requirements.

Section 44 (3) of the Act provides: Any employer – (a) who fails to carry out the duty imposed on him by Section 38 to comply with any direction issued to him under that section to furnish a return relating to any person or persons in his employment… shall be guilty of an offence under this Act.

The details could include the following:

  1. Employment details
  2. EPF/ETF details
  3. Details of bank transactions, credit cards
  4. Savings, fixed deposits, investments
  5. Income tax file numbers
  6. Details of businesses registered and directorships held
  7. Share market trading accounts
  8. Vehicles
  9. Houses, property owned
  10. Medical records
  11. Legal records