The Importance of a National Digital Identity System

The leaders and policymakers of nations around the world are working on building national digital identity systems and frameworks. A digital identity makes it possible for a state or a private enterprise to identify an individual or an entity in the online or offline world. It is a vital tool that can be used by governments and private and public enterprises to identify every person and assess that individual’s actions when consuming services (e.g., social welfare, financial support). It helps enterprises and governments meet people’s needs and strengthens the overall efficiency of a nation, for example, by accurately and efficiently delivering government services and reducing the risk of human error in identifying and verifying an individual.

Managing a national digital identity system is a complex challenge because national digital identity touches on many aspects, such as operations, technology, law, governance and policy. In addition to national leaders, research institutions, nongovernmental organizations, infrastructure operators, government staff, law enforcement and militaries are implementing digital identity systems. During the COVID-19 pandemic, some countries used digital identity systems to deliver public services and provide social support without data leaks or corruption of government-to-person transfers.^{1, 2, 3, 4}

In the unpredictable and dynamic cybersecurity landscape, a diverse range of security issues can lead to national threats and the loss of data confidentiality, integrity and availability in an online setting. Security risk can compromise the existing national and social circumstances by causing online privacy violations, terrorism and corruption. Introducing a digital identity system can mitigate some security risk factors by enabling the adoption of a privacy and security by design approach, supporting public engagement and consultation, and allowing coordinated and disciplined governance. It is important for policymakers and national leaders to understand the true definition and scope of operations of a national digital identity framework and for private and public stakeholders to know how to develop and implement a digital identity system through a national identification (ID) system.

Defining Digital Identity

Digital identity is a digital file that defines who a person is, with unique identifiers or attributes; it is not just an ID card. It is used to prove an individual’s identity and credibility during any transaction or interaction, whether online or in person. Examples of when a digital identity can be used include:

• When an online retailer or a bank is delivering a product and the recipient’s identity must be proved to receive the product
• When individuals need to prove their age to obtain a product or service with an age restriction without showing a physical document such as a passport or driver’s license
• When individuals need to prove their identity to get state assistance or support without using a passport or other ID card

A national digital identity consists of unique identifiers. Some of the elements used by countries to digitally identify their citizens include:

• Textual information such as name and date of birth
• Audio information in the form of a voice sample
• Biometric data such as blood samples, iris scans, fingerprints and hair samples
• Descriptive information such as physical traits, including weight and height
• Personal identifiers such as a US Social Security number (SSN) or any government-issued identifying number
• Tokenized representations such as an ID chip card or passport

The elements required to create a national digital identity are different for different countries. Country leaders and policymakers must determine the necessity of certain elements to prove a person’s identity and implement the governance rules for these data.

Advantages to People and Enterprises

As people across the globe adapt to the digital economy, country leaders are taking an interest in implementing digital identity schemes.

The benefits of a national digital identity system imposed by the government are diverse and can be categorized from the perspective of users and private-sector enterprises. Potential advantages for users include:

• Greater convenience—Some public services have identity barriers, making them difficult to access. A digital identity allows the user to gain access to such services without being physically present.
• Reduced costs—Any costs incurred by the user to gain access to selected services are reduced.
• Greater access to services—A digital identity allows users to gain access to services such as opening bank accounts, accessing social security benefits or obtaining a mobile Subscriber Identity Module (SIM) card.
• Enhanced security—A digital identity can be a powerful tool for policing and prosecuting crime, as it ensures identity proofing, which helps authorities combat crimes such as tax fraud and identity theft.
• Enhanced privacy—With digital identities, individuals can control how much information they share with an enterprise to establish their identity and ensure purpose limitation. Individuals are in control of their own data.

Potential advantages for the private sector include:

• Higher revenue— As the idea of a digital national identity grows in demand at a faster pace, organizations have more opportunities to generate more revenue by adding more customers, which can increase job opportunities and tax revenues, which help a country’s economy thrive.
• Reduced service delivery costs—A national digital identity system decreases the amount of paperwork, manpower and completion time for document validation, thus lowering expenses.

With digital identities, individuals can control how much information they share with an enterprise to establish their identity and ensure purpose limitation.

Cybersecurity and Privacy Risk

A national digital identity platform involves significant cybersecurity and privacy risk, but it can be managed. To mitigate the risk, a solid, comprehensive approach must be adopted to identify a person in a real-life setting and ensure that the online risk is effectively curtailed. One of the fundamental steps is to implement the privacy and security by design model, which manages the risk related to privacy violations and ensures that data are protected in a holistic manner. This must be backed by well-defined legal and policy frameworks so that the digital identity system can serve its intended purpose.

Centralized Data Storage Risk
Typical approaches to a national digital identity system involve centralized data storage. However, centralized data storage, particularly for systems with biometric information, poses significant risk and should be avoided. A central database creates a single point of failure. It is the cybersecurity equivalent of putting all eggs in one basket. If the central database is compromised, all information, including biometrics, will be compromised. To mitigate this risk, a decentralized architecture, integrated with other entities or associated with other identification providers, should be considered. Another option is to require additional forms of identification, such as assigning a one-time password that is linked to a phone number.

Biometric Risk
Biometrics are a core aspect of personally identifiable information (PII), and unlike a compromised password, cannot be changed. Therefore, biometric leaks may be irreversible. Further, using biometrics establishes that every action taken is connected to the specific user to whom the identifiers belong, and any misuse of that information puts the user’s reputation at risk. Because the risk of using biometrics is high, security professionals must ensure that the right kind of security controls and identity theft prevention plans are in place to protect biometric information.

Mass Surveillance and Targeting
Typically, national digital identity systems provide identification and authentication functions as a service. Combining both functions under one entity and keeping logs of all authentication transactions in one place increase the opportunity for mass surveillance and profiling simply by analyzing logs over time. To mitigate this risk, authorities should separate the identification and authentication functions, minimize logs as much as possible and minimize access to transaction logs, and ensure that deidentification models are used.

Exclusion
Exclusion is a common risk that arises when individuals are excluded from accessing specific services. The impact is not limited to the online setting; it can also lead to the marginalization of vulnerable individuals. Malicious internal or external actors can compromise or change digital identity details, thus excluding the individual from accessing services or receiving benefits. Authorities should anticipate exclusion risk and implement governance and grievance mechanisms to support individuals such as customer support systems, where excluded individuals can reach out for support and get benefits using alternative identity proofs.

Many have already adapted and evolved their existing identification systems, but others have yet to reap the benefits of a national digital identity system.

Current Adaptations of a Digital National Identity

Estonia has one of the best-integrated national digital identity systems. Citizens use mobile phones to authenticate their identities and access selected services.⁵ Similarly, China’s well-integrated national digital identification system gives citizens access to banking, lodging, travel and telecommunications services.⁶ The United Kingdom uses a national digital identity system to simplify certain services for its citizens, such as obtaining tax refunds, pensions and mortgages.⁷ Canadians’ digital identities are distributed to different systems across the country.⁸ In Singapore, it is compulsory for each citizen to get a national registration identity card.⁹ Citizens can then access their digital identities through mobile phones to obtain online services offered by the government.

Conclusion

Countries around the world should understand the importance and necessity of having a national digital identity system. Many have already adapted and evolved their existing identification systems, but others have yet to reap the benefits of a national digital identity system.

There are several advantages to introducing a digital identification system and adding unique identifiers required by governments. However, before introducing a national digital identity model, each country should address the associated risk factors and uncertainties and create a solid framework to manage and govern digital identity. It is important for governments to build this framework before implementing the system. The framework should demonstrate the government’s intention to protect citizens’ right to privacy and ensure that the system is implemented and operated in the way it was intended. The goal is for the world to experience the benefits of simplified access to public, private and government services.

Endnotes

¹ Sharma, A.; “Aadhaar-Enabled Cash Transfer Scheme Helped Save Govt Rs 45,000 Cr in Pandemic Year,” News 18, 21 November 2021, http://www.news18.com/news/india/exclusive-iaadhaar-enabled-cash-transfer-scheme-helped-savegovt-rs-45000-cr-in-pandemic-year-4495448.html
² Saini, S.; S. Hussain; “Leveraging India’s Aadhaar Platform to Ease COVID-19 Pain,” East Asia Forum, 1 October 2021, http://www.eastasiaforum.org/2021/10/01/leveraging-indias-aadhaar-platform-to-ease-covid-19-pain/
³ White, O.; A, Madgavkar; T. Sibanda; Z. Townsend; M. J. Ramírez; “COVID-19: Making the Case for Robust Digital Financial Infrastructure,” McKinsey Global Institute, 26 January 2021, http://www.mckinsey.com/industries/financial-services/our-insights/covid-19-making-the-case-for-robust-digital-financial-infrastructure
⁴ The World Bank, “Inclusive and Trusted Digital ID Can Unlock Opportunities for the World’s Most Vulnerable,” 14 August 2019, http://www.worldbank.org/en/news/immersivestory/ 2019/08/14/inclusive-and-trusted-digital-id-can-unlock-opportunities-for-the-worlds-most-vulnerable
⁵ e-Estonia, “e-Identity,” http://e-estonia.com/solutions/e-identity/id-card
⁶ Matzkuhn, D.; “China Enables ID Cards as an App,” CANCOM.info, 9 January 2018, http://www.cancom.info/2018/01/china-ermoeglicht-personalausweis-als-app/
⁷ Taylor, M.; “A Single Sign-On and Digital Identity Solution for Government,” UK Government Digital Service, http://gds.blog.gov.uk/2021/07/13/a-single-sign-on-and-digital-identity-solutionfor-government/
⁸ Digital ID and Authentication Council of Canada (DIACC), http://diacc.ca/
⁹ Immigration and Checkpoints Authority (ICA), “Register Identity Card for 15-Year-Olds,” Singapore, http://www.ica.gov.sg/documents/ic/registration

Biji Scaria

Is a cybersecurity leader with a strong technical and business background and more than 20 years of experience, including setting up and managing cybersecurity departments and teams. He has more than 10 years of telecom security experience, leading high-performing technical and nontechnical teams. Scaria also has experience building and managing information security strategy, data security and privacy, privacy assessment, cloud security, security controls, consulting practices, and information security departments. He has worked with major telecom, banking, oil and gas, healthcare, and aviation enterprises across Africa, Europe and the Middle East. He has also published multiple articles for the Global Risk Community, which is an online risk management forum and platform for risk managers and associated service providers.