Still Nids-wary
Potential privacy and security implications not addressed
Irecently remarked to a colleague that I think the national identification system (NIDS) was more fundamental than the Caribbean Court of Justice and should be the subject of a referendum. He responded tersely, “Two-thirds,” in reference to how Parliament is presently constituted. It would not augur well for good governance if this is the approach being taken by those we elect to lead.
The pursuit of a new or one world order is not yet totally grounded in my thoughts; however, I note the concerted efforts of some to reintroduce a national identification card system on the back of the fears and anxieties resulting from this novel coronavirus pandemic. The breaches which allowed the private information of some thousands of customers of VM Wealth to be released to approximately 200 unauthorised individuals have, for me, sharply brought into focus a major concern regarding the security of personal data when entrusted to others.
Recently, and belatedly, there have been renewed discussions on the need for a Jamaican NIDS. Belatedly, because before the Supreme Court striking down the initial National Identification and Registration Act (NIDS Bill), there were minimal or no consultations with the most affected stakeholders. The heart of the NIDS, as was proposed, revolved around the collection of an enormous amount of data on each citizen and constituted an intrusion on privacy. The amount of data that would be collected goes ways beyond what would be necessary to merely establish the identity of individuals.
It is encouraging to see good sense has prevailed and adjustments are being made, as the previous mandatory nature was of primary and serious concern, as it also envisioned sanctions against those who may choose to exercise their inalienable right not to participate. The proposals were that those who refused to do so would be prevented from accessing government services and most commercial transactions. Such punitive actions would leave an individual with little choice but to register.
The collating of all our daily transactions and movements is a massive invasion of our privacy and trampling on our rights as citizens. It raises the possibility that the State or private sector organisations may have unnecessarily liberal access to and create massive databases on every one of us, including detailed information on some of the most personal aspects of our lives, without even our knowledge or consent.
As a crime-fighting tool — as being promulgated — there is no empirical evidence that this is effective, and therefore many major countries have not embraced the system, with our neighbour to the north rejecting it on many occasions. If indeed the ID card would assist in the fight against crime, as is being claimed in some forums, and would replace all the many individual IDS, its acceptance would be a foregone conclusion. However, when viewed against the tremendous technical challenges to set up, the exorbitant financial costs, and the very invasive nature to privacy, we have to be convinced that the privacy rights enshrined in our constitution are not being eroded expeditiously for reasons other than stated.
The undue haste with which the Government had initially embarked gave us little time to examine all the far-reaching implications of such a system. Hence, the timely intervention of the Supreme Court was most welcome. The unprecedented and inordinate amount of amendments points to the ill-preparedness of the Bill initially and brings into focus the aims of its proponents. It also reminds us that, as humans, we are subjected to inaccuracies that could cause great disruptions and be of significant inconvenience to each of us, among which could include us having wrong data inputted into a system, that would prove a nightmare to have corrected.
The replication of cards would not be an impossible task, as has been evident in many recent cases in which bogus IDS surface. Hence, the security of data is a paramount concern; prompting many essential questions about a national identification system: * Who would issue the cards? * Who would have control to view or edit data in the system?
* Who can require the production of the card to ascertain one’s identity?
* At what age a child would require a card, and can a child below the age access medical services?
* How would the system be protected, and who would be liable in the case of misuse or infringement?
These, among other questions highlight the practical and technological challenges of creating and managing a system and the need to develop comprehensive legal and policy frameworks concomitant with any venture that has such serious implications and risks of exposure to one’s privacy.
The creation of a national ID card involves more than merely distributing a physical card to every citizen. It should, therefore, accommodate widespread consultations, debates, and provide complete and detailed information on the myriad issues surrounding this form: Who are its users, whether assigned people and/ or organisations; who will have access and rights of disclosure; and, most importantly, what agency or agencies will have oversight?
There is a cost to all this, much more than the US$68 million loan secured from the Inter-american Development Bank (IDB). The system would involve more than simply establishing a database, ID cards, card readers, and an elaborate communication network. The multiplicity of security and privacy considerations continues to grow.
What is the final figure to implement? And, what will be the ongoing cost to maintain the national infrastructure for a biometrics data-based machine-readable system needed to read ID cards, authenticate the cardholder’s biometric data, and communicate with a central database in real time?
What procedures will be used to register individuals and manipulate information about them, such as enter, store, update, search and return data, issue credentials, and verify search requests, to name a few?
We would need to know such things as:
• what information would be contained on the physical card;
• whether the information would be stored on the card or in a central database;
• whether information on the card or in the database would be available to all users or to limited users on a needto-know basis;
• who would be allowed to ask for or require that the card be produced;
• whether transactions using the card would be recorded and linked to each other;
Just posing these questions indicates the scale of the potential privacy implications and larger social costs.
Once created, a national ID registry would need to be updated and maintained. Each citizen would be required to update their ID card regularly, just as we do with our drivers’ licences, simply to ensure that the information on the card is current and its security features up to date. People who lose their cards would need to register anew. Stolen cards would need to be reported and revoked.
Any ID system that results in the creation of a centralised database immediately raises privacy concerns because of the potential use of the database for law enforcement or other secondary purposes. A card that is used for multiple purposes and is linked to central databases could conceivably be used to monitor and track an individual by recording the uses that are made of the card. A high-tech national ID card could become a kind of internal passport. The failure to produce the card on request could mean a denial of service, could be grounds for suspicion, or, even worse, could lead to legal complications and constitute an offence in its own right. It would open the door to situations in which citizens are routinely stopped by the police and forced to identify themselves, should law enforcement authorities come to rely on the card for proof of identity, as they most certainly would.
In the UK, the Identity Cards Act 2006 was repealed in 2010 and the national identity registry (NIR) has since been destroyed; it would be interesting to ascertain why.