Short Paper: The National ID system as a component of e-Governance
On 14 November 2017, the National Identification and Registration Bill was passed in the Senate despite a flurry of petitions, protests, and letters from citizens and civil society groups including the Jamaica Coalition for a Healthy Society and the Jamaica Bar Association. Much of the opposition has centred around the apparent rush to pass the Act and the insufficient public consultation on its terms. In this brief paper I argue that while the first steps taken by the government and the absence of provisions for e-Governance and data protection could negatively impact the ultimate success of this important first step, the national ID system remains essential as an enabler for the government to provide more efficient services to citizens. This analysis considers the draft Bill tabled in the Senate on 6 June 2017 as at the time of publication this was the only publicly available version. We await disclosure of the numerous amendments.
Background
The proposal for a national identification system (NIDS) dates back to a 1994 Electoral Committee recommendation, was 'launched' by the Golding administration in 2007, and was one of the ‘first 100 day’ targets of the current Jamaica Labour Party government in their manifesto. It now falls squarely under the Office of the Prime Minister (OPM). It is also a target in the National Security Policy 2013, identified as necessary for anti-money laundering and terrorism financing purposes so that all financial transactions can be linked to individuals. Identification that can be biometrically verified is also useful for preventing corruption, as in the case of India where the World Bank estimates that the “Aadhaar digital ID is saving approximately USD 1 billion (Rs 650 crores) a year by reducing corruption and leakage for the Indian government. It is a help in fiscal budgeting. It is a help in providing other useful services.” More importantly, a national identification number (NIN) is the cornerstone of the e-governance puzzle, the ability to streamline government and private services to provide for greater efficiency and access for citizens. It also ensures that government has accurate data on its citizens that it can use for strategic planning. The Inter-American Development Bank Project Profile (which is providing the government with a loan worth US$68 million/J$8.8 billion) that the programme will also have environmental and social impacts.
Estonia’s Chief Information Officer (CIO) Taavi Kotka remarked at Wired 2016 that, “The problem is the legacy of, for example, UK society who says: we will never start issuing numbers to the people. As an engineer, if you do not have a unique identifier how are you going to transmit from one database to another database. So if you say, we will not do that - stay in stagnation.”
Estonia has implemented a digital ID system for all citizens since 2001- not simply a legal photo ID, but a digital ID. The digital ID can be linked to a photo ID (there is no punishment for not having the ID and there are electronic alternatives) which has a chip that carries embedded files using 2048-bit public key encryption. “Functionally, the ID card provides digital access to all of Estonia’s secure e-services, releasing a person from tedious red tape and making daily tasks faster and more comfortable whether we are talking about banking or business operations, signing documents or obtaining a digital medical prescription.” Their single national ID card is used as a legal travel ID within the EU, as the national health insurance card, proof of identification when logging into bank accounts, for digital signatures, internet voting, interaction with the Courts, among other functions.
Jamaica’s Current Problem
An October 2016 White Paper on the Act published by OPM points out that: “Jamaica does not have a national identification database which can reliably verify the identity of its citizens… There are a number of identity systems being utilized by various public sector entities… given the diversity of these systems, they are not connected or inter-related and provide limited scope for data sharing and authentication of personal identity.” More recently, at a June 6 briefing on e-Governance the Prime Minister remarked, “What we want to do in the digital world is not to have (the) confusion where one agency is creating their own database, building their own software, training people in their particular idiosyncrasies, using their own protocols and then we have silos (where entities operate in isolation) and then it is very difficult to maneuver…because each agency tend not to be aware of what the other is doing.”
Many face difficulties obtaining services from the government, and many of these problems are because there is no single database that all agencies can use to verify the identity of the person they are serving. I learned this the hard way when my wife tried to register her new last name. Despite being in the same building at the Constant Spring Tax Office, my wife has two ‘separate identities’ at the TRN and driver’s license sections because their databases are not linked. Likewise, you are likely listed in databases at the Registrar General, TRN, drivers’ license, Electoral Office of Jamaica, National Insurance Scheme, National Health Fund, using a different numeric system, and they each require you to bring documents from the other to prove who you are in order to obtain services from them. This results in lost man (and woman) hours, poses a huge security risk, and creates serious inefficiencies.
In the realm of national identification and e-governance, Estonia has been justifiably heralded as the example that Jamaica intends to follow. It is likely that it is for this reason the Executive Director of Estonia’s e-Governance Academy Dr. Arvo Ott was invited to attend the e-Governance briefing on June 9. Estonia, is in fact, the most advanced government in terms of IT infrastructure and e-Governance. Jamaica cannot look to the traditional sources of expertise (eg. USA, Canada and UK) as they are, as Estonia’s CIO intimated: “in stagnation”. The reason why Estonia pursued e-Governance is the same reason we need to – a small population, lack of adequate resources to provide optimal ‘in-person’ government services, and the need to keep the costs of providing government services low.
The OPM White Paper establishes identity as a human right, an argument that ought not to be made because - as the JCHS has pointed out - human rights are inherent and inalienable and thus do not require any recognition or action on the part of the state or individual to be so. The White Paper proposes the establishment of a “unique, reliable and secure method of authenticating an individual’s identity. Each person… will be issued with a National Identification Number (NIN), which will be their unique identifier in the system. Information captured through registration for a NIN will be stored in a secure National Civil and Biometric Database (NCBD). Nevertheless, the use of the NIN as the primary key will enable interconnectivity of the NIDS database and all records within existing GOJ databases.” Among the core strategic objectives includes facilitating simplified procedures for citizens to access an array of benefits and services, and to support e-government and e-business for all Citizen to Government (C2G), Government to Government (G2G), Government to Business (G2B) and Government to Citizen (G2C) services. I find it strange that these strategic objectives did not find their way into the Act. The objects of the Act can be summarised as enrolment and registration, establishing the National Identification and Registration Authority (NIRA), the Database, and collecting and compiling statistical information.
Assessing the new legislation
“In creating NIDS as the first step towards achieving the digital society, we will be making the delivery of public services far more efficient and that will contribute to greater inclusion (and) greater economic growth and job creation as well,” the prime minister said at the June 6 e-Governance briefing. This is the rubric that should be used to assess the new legislation.
Section 15 of the Act provides for the establishment of a consolidated national databank, the National Civil and Identification Database. All citizens and persons ordinarily resident in Jamaica are required to enroll in the Database (section 20) and will be provided with a National Identification Number (NIN). The database compiles citizen and resident information, so they can prove their identities (or have their identities authenticated), obtain National Identification Cards, and so that the government can generate statistical information (section 17). I am not sure why, but the legislation does not go further to specify that database may (or ought) to be used to coordinate the activities of government entities to provide more efficient services to residents.
Without the NIN, a person will no longer be able to receive goods or services from a public body (section 41). Private sector entities are also permitted, under section 41(2), to impose a similar requirement for the production of the NIN prior to providing goods or services. Section 41 will force public bodies (and the separate databases including TRN, NIS, etc) to coordinate and communicate with the Authority in order to verify the NIN’s presented by individuals. However, this will not force those databases to coordinate and communicate with each other to facilitate e-Governance. Unfortunately, I could not find any provision in Jamaica’s new Act that moves us closer towards an e-Governance framework other than the establishment of the Authority and NIN database itself. Up to the time of writing, the ‘eGovernment Initiatives’ page on the e-Gov Jamaica Limited was blank. A new portal “www.gov.jm” was established as a directory of links to various online government services and information, including income tax filings and birth and passport applications, but its very implementation demonstrates the current lack of coordinated e-Government infrastructure.
Estonia committed to e-Governance in 1997, and since 2001, they developed and implemented open source technology that integrates all government services called X Road, allowing databses to “link up and communicate in harmony”. Estonia has no centralised or master database – all information is held by respective entities and X-Road allows them to communicate. A nice example from their website is that when a child is born, information from the hospital is sent automatically to the population register, then to the Health Insurance Fund, so the child has insurance and healthcare without paperwork or human involvement. Imagine registering your child for school by only presenting the child’s NIN. The technology has generated real results, boasts an Estonian government website: “Last year the X-Road saved 820 years of working time, assuming that every request saves 15 minutes and 5% of requests submitted via the X-Road involve communication between people, then using e-services helped save 7,182,262 working hours in previous year”.
In Estonia, the coordinating authority for e-Governance is the Information System Authority of Estonia, which is not the same entity that issues ID’s. That Authority has the information technology resources and trust to engage stakeholders in government to push forward the e-Governance policy. It provides a ‘check and balance’ on all databases, including their national ID database. In the case of Jamaica, it appears that OPM will remain the coordinating entity for both the identification programme and e-Governance. The Registrar General’s Department will be rebranded and placed under the remit of the OPM. The Prime Minister is the responsible Minister in the Act, and Section 60 gives him or her the unfettered power to amend any law by order where they think it is necessary for the functioning of the Act. This demonstrates the zeal of the government, but it will not auger trust in the NIDS. Separation of powers is a core tenet of democracy and should not be circumvented. It would be better for the NIRA to be supplemented by an independent authority responsible for the information technology components and e-Governance implementation, for example e-Gov Jamaica Limited or another suitable entity.
Data and privacy
The privacy of data is paramount when implementing a database that will be utilised by all public entities, and there are several steps in the right direction in the current legislation. On one hand, there is the issue of the right to privacy of individuals concerning their biometric data, and on the other, there is the protection of biometric and biographical data on individuals so that they remain private.
On the first issue, Jamaicans should remember that we already give up vast amounts of information on ourselves to the government, to banks, and for over 1 million Jamaicans, to Facebook. In fact, the Terms and Data Use Policy you agreed to (and said you read) when you signed up allows Facebook to use all the information they receive about you, including any information you add to your account or timeline, everything you do and share, what you like, and even “things we infer from your use of Facebook.” Facebook also reads posts you start typing but choose not to post, and tracks your use of other websites, your physical locations, and has partnerships to track users in real life. There is nothing in the current Jamaican legislation that comes close.
Biometric data collection has featured prominently in the discourse. This is one of several forms of information to be collected, including biographic and demographic information. With regard to biometric information, the Act permits the Minister to approve regulations that would allow the Authority to collect “photograph, signature, finger print, palm print, toe print, foot print, iris scan, blood type, height, eye colour, or such other biological attribute of the individual as may be specified in the regulations” – it does not say that the Authority will actually collect all those types of biometric data. Nevertheless, that formidable list might not be justifiable based on best practice. Estonia collects biometric data including the facial image, fingerprint images, signature or image of signature or iris images under the Identity Documents Act. Other biographic information is collected including the hair colour and sex. India’s recent Aadhaar system collects iris scans and fingerprint data only. Both were found to be sufficiently accurate in a recent study by the Unique Identification Authority of India (in a semi-urban setting… the accuracy was 99.73% for “two iris authentication” with a false acceptance rate of one in one million. Further, eight POCs done on fingerprint authentication proved that 99% accuracy could be achieved at a false acceptance rate of one in 10,000)”. Disability does not necessitate such a broad list of options either. For example, collecting a toe print is not necessary in the case where a person has lost a hand, because the absence of a hand is itself a biometric marker.
There have been several right to privacy judgements related to India’s Aadhaar national ID system, which considered a range of issues from whether the government can collect biometric data to whether the government can restrict access to social and welfare services to those without NINs. The general outcome has been that the Indian government may not restrict access to welfare services, but can mandate their national ID card for other government services including tax filing. Nevertheless, their system boasts 99.9% enrolment and the nuances of Indian society and geography that influenced those decisions are unlikely to apply to Jamaica’s Act. Nevertheless, the government should brace for a similar spate of right to privacy challenges, especially since the right to privacy is explicitly provided for in our Charter of Rights and Fundamental Freedoms.
On the second issue, the Act stipulates that NIRA is responsible for the protection of information, including the security and confidentiality of identity information. This will obviously require the Authority to outsource its IT services. NIRA will assign NINs, and the NIN itself will be a random number that bears no relation to the identity of the individual to whom the number is assigned (Section 24). This is an excellent step, and stands in contrast to other systems such as South Africa and Argentina that generate numbers based on demographic, racial, and other data.
Section 18 is of concern, because it requires that the Database be capable of being converted into a legible form. I presume that this was not intended to override the need for adequate encryption. This provision should not be interpreted to mean that the digital records should be printed en mass and stored in a human-readable format.
The privacy of data in the database will be largely dependent on the implementation of adequate security.
Data and security
X-Road has operated without interruption in Estonia since 2001, and 99.8% of their government interactions are electronic – they are not on paper and there is no paper redundancy. They are therefore also a good subject for examining the issue of data security. It is noted that the Jamaican project team has sought technical advice from South Korea, who have also committed to providing a US$600,000 grant towards implementation.
First, since it is impossible to build a perfectly safe environment, trust in the data manager is essential. Estonia’s CIO famously displayed his ID card during a presentation and encouraged viewers to try and breach their security protocols. At the same time he stressed that trust was the most significant factor in the success of their digital ID program. Note that Estonia’s ID is no longer just a physical card, it is also a mobile ID, using any mobile phone paired with a special SIM card, a smartphone app, and desktop software. The ID card is not mandatory in Estonia, but it is widely used because it actually helps citizens in every area, from public transport, to voting, to signing contracts. The reaction of the Jamaican public to the new Act would have been different if more emphasis was placed on presenting a credible and adequately resourced technology coordinator, tasked not only with NIN implementation but e-Governance facilitation.
Secondly, Estonia has used block-chain technology before it was ‘cool,’ since 2008. There is also no single central database for the government’s information. “Whenever two databases need to communicate they establish a direct connection between each other and they exchange data… there are over 900 databases… it is possible to connect all data if the objects have unique identifiers and there has been a goal,” their CIO Taavi Kotka has stated. Block-chain protects the entire system from attack and loss by decentralising information.
Thirdly, Estonia innovates constantly. In addition to developing and implementing cutting edge security and redundancies, they are going further to implement “Data Embassies” to store government data offshore in government controlled servers. That way, even if the state is affected by a natural disaster or large-scale cyber-attack, the state can continue operating. The first data embassy will be setup in Luxembourg.
The way forward
In 1997 when Estonia set out to achieve full e-Governance “there was no digital data being collected about [their] citizens. The general population did not have the internet or even devices with which to use it. It took great courage to invest in IT solutions and take the information technology route.” Thus, while I recognise that Estonia teaches children programming from grade 1, and has a stellar record in information technology and startup development, the government did not wait on achieving any status before committing and taking steps towards e-governance. Jamaica already has widespread internet penetration, and virtually full mobile phone penetration. In 2017 we need a sure commitment to e-Governance, coordinated by a single entity with the resources to make the best use of the new NIDS. More importantly, we need to build trust among the stakeholders through open dialogue and stakeholder engagement. Furthermore, broader policy and legislative changes will be required to achieve the ultimate purpose of the NIDS, which is e-Governance. Jamaican's have deep-rooted fears about state overreach, which the government should be mindful of. They will not be swayed by philosophical arguments about identity, and in fact, might be more alarmed by the narrative. In that regard, the government should focus on communicating the security of the system being built, how that will result in respect for the privacy of residents. More importantly, the ultimate goal of e-Governance must be evident in the communications, planning, and implementation of the NIDS project so that all residents are confident that it will result in meaningful benefits for them as they live, work, raise families, and do business in Jamaica.