Digital identity and biometrics in Africa, Part 2: risks & questions
[Read Part 1 here.]
Now I’ll move on to the arguments against digital identity systems. These arguments are less about digital identity per se and more about digital biometric identification specifically.
The most strident critiques of biometric identity systems come from NGOs whose missions are the defense of digital security, freedom of expression, and the right to privacy. This opposition is based on analyses of how this technology has been used in the past and what this tells us about how it might be used in the future. It focuses especially on the types of biometric identification that can be non-consensually gathered and applied, such as facial, voice, and gait recognition.
Both Access Now, an organization that advocates for digital rights of users, and the Electronic Frontier Foundation (EFF), a non-profit foundation founded in 1990 in California to promote Internet civil liberties, have come out against this technologies on the grounds that they are endanger basic human rights. More alarmingly, they see them as potentially authoritarian means of population control. Brett Solomon, executive director of Access Now, wrote in an op-ed in Wired, “I am … convinced that digital ID, writ large, poses one of the gravest risks to human rights of any technology we have encountered.”¹ It is the convergence of several new technologies that spells such danger: biometric identifiers, real time geolocation identifiers, and artificial intelligence and machine learning that will be used to “make decisions based on our identities” — i.e., the digital identity compiled from all this information. This technological assemblage can theoretically be used by both state and private entities for a variety of purposes, some of them quite nefarious. The EFF also draws attention to the mandatory nature of biometric identification systems in countries as diverse as Argentina, Belgium, Colombia, Germany, and Peru, arguing that mandatory identity cards “habituate citizens into participating in their own surveillance and social control.”²
Let me break this down further into political and logistical dangers. There are two clear political dangers that have become associated with this technology. The first, as Solomon mentioned, is the risk of surveillance and tracking (through biometrics and digital traces left by geolocation) by government entities for the purpose of political suppression. This kind of tracking has already been revealed in the private sector with mobile phone apps but even in these cases, as egregious as they were, the data was collected with the consumers’ voluntary consent (however dubiously acquired).³ In contrast, in the cases of biometric identity systems, the data is the product of mandatory national registration. (One of the most alarming stories I’ve read on this topic was about the digital identity system in Venezuela built by ZTE, a Chinese company, as revealed by Reuters investigative journalists and reported last year.)
The second political danger identified by scholars and activists is the way this data “frequently flows between governmental and private sector users,” as the EFF report puts it.⁴ I’ll expand on this later but for now, suffice it to say that the use of biometric data is seen by scholars like David Lyon, a sociologist who directs the Surveillance Studies Centre at Queen’s University, as a a quintessential form of “surveillance capitalism.” In this form of capitalism, consumer data is the most valuable resource leading economic growth.⁵ For Lyon, one of the effects of this system is “social sorting,” a term he uses to describe the means by which people are categorized by their dense data trails in ways that are legible and meaningful to the surveilling entity.⁶ Lyon sees this as not only the erosion of rights of privacy but also of human dignity and autonomy, especially as this data comes to shape our socio-economic paths through data-driven profiles created by corporations and, increasingly, state bodies. Given the scandals of the last few years, in which data was handed over (intentionally or through negligence) to advertisers and governments by the most massive private data collection entities today, this kind of flow should be concerning.
One key point to note here is that the ethical-political distinction between consensual and non-consensual (or mandatory) collection of biometric identification is lost when data begins to flow between entities in this way. To spell it out: if you consent to have your data collected in one context but then it’s passed on to (or seized by) a government body without your consent (i.e., through a “backdoor”), it’s the same as having one’s data collected non-consensually.
Then there are the practical critiques of biometric identification. These center on the hopes that are invested in these digital identity programs in light of the significant logistical and cultural challenges, especially in rural regions and among older generations. The first problem is simply that such sensitive data is not often securely held. Rather, centralized databases, where are touted as one of the benefits of digital identity, create what the EFF report describes as a “honeypot of sensitive data vulnerable to exploitation.”⁷ Put another way, if invasion of privacy by the government and corporations was not enough, there is also the danger that hackers could breach a government’s weak digital security systems. As Solomon puts it, governments have effectively become “data fiduciaries” and as such, they have an ethical obligation to users.
Aadhaar, India’s national digital identity database and home to the data of over 2 billion Indian residents, has already been compromised a few times since its creation in 2015, as documented by Indian journalists and independent digital security analysts.⁸ The stolen Aadhaar numbers were then being sold on the black market; another instance found 10,000s of numbers had been insecurely stored for years. A significant aspect of the risk and vulnerability is that unlike passwords or PINs, biometric data cannot be changed. This creates a major bureaucratic conundrum if unique information is stolen or exploited because, unlike a password or PIN, it is out of the user’s control.⁹
The second logistical issue is just as troubling: the risk of malfunction or statistically small but inevitable non-match variation. (This is referred to among data geeks as “goats,” a term from a classic paper on the phenomenon by Doddington, et al.¹⁰) Glitches in such systems can have far-reaching repercussions. Clare Sullivan, a legal scholar who specializes in digital identity, notes that biometric technologies have problems of both false positives and false negatives. Gaming this out, she writes:
[I]n a large population even a seemingly low error rate, such as that cited for some biometrics for example, can result in a large number of mistakes. To put this in perspective, consider, for example, a two per cent error rate for a population of 300 million which is approximately the population of the United States, results in 6 million people being affected.¹¹
In the case of India or China, home to a 1.225 billion and 1.338 billion people respectively, the number of people who could be effected — that is, excluded from government services or basic civil rights like voting — number in the tens of millions. Journalists in India argue that there have already been such cases: a report published in 2018 alleged that there have been a number of deaths from starvation across the country related to problems with Aadhaar cards that blocked access to food rations. On a more mundane level, when essential resources are dependent on digital systems, it’s easy to imagine how mundane problems — a spotty Internet connection, a broken POS machine, or bad design — can have serious effects. Breckenridge’s review of the implementation of the e-Zwich bears this out.
The pros and the cons (with a return to Ghana)
First, we can see how the problem of civil registration in Africa played out in Ghana where the question of how to define Ghanaian citizenship without proper documentation comes to the fore. The fluid boundaries and centuries of migration in Africa undermine clear lines around most African populations, meaning this issue will likely arise in other countries.¹² In the future, it’s likely that the biometric database itself will be called on to adjudicate these issues, leaving out anyone who was not registered. Second, the logistical issues in rural countrysides with sporadic electricity, spotty Internet connections, and digital illiteracy will also probably be a challenge in other African countries, leading to frustration and/or disuse.
Third, there are the issues of individual privacy and digital security. In the rush to development (to “leapfrog” into hypermodernity, as the story goes), it’s easy to see how these concerns can be marginalized, or rather how they might be rationalized as sacrifices made for the overall good. But this reasoning is putting vast populations at risk of identity theft on one side and government surveillance on the other.
Unfortunately, these issues have already come up in Ghana: it came out this year that the country’s electoral commission sold voter data to a private Accra-based software company (as far back as 2016) who then sold the data to a financial service provider (unspecified in the news report). The sale took place without any agreement between the two parties regarding use or security measures. As we can see, the unsupervised flow of personal data between state and private entities is already underway in Ghana, although there are new discussions about data security and privacy taking place at high levels of the government.
The risks that arise with the collection of biometric data and digital identity schema are complex and shouldn’t be dismissed offhand. The biometric industry is constantly running to keep up with the latest hacks and vulnerabilities. Ideally, these companies would to be held to the highest standards, within parameters decided upon by an informed populace. The ultimate questions are: Is the overall risk worth it? Is mandatory data collection ethical? Many argue that it is not. Either way, these are questions that democratic electorates should be able to decide on their own.
Lastly, the risk of surveillance and tracking of individuals is not addressed by any of the programs’ advocates. Digital, and especially biometric, identity is seen as a major area of growth in the financial technology sector. Biometric identification is viewed as a potentially transformative technology in that it will allow for streamlined monetary transactions and “co-branding opportunities” between linked products (on the Internet of Things).¹³
This brings us back to the question of the flow of biometric data between public (state) and private (corporate) entities. In many digital identity schema, this flow is taken for granted as beneficial, for example, as a way to extend banking to people who have been shut out of the modern formal economy. In the case of e-Zwich program, Breckenridge documents how the drive to incorporate informal monetary transactions within GDP and other economic metrics is a major element in the argument for digital identity in Africa. That the global payment industry is constitutive of the organization of ID4Africa illustrates how fundamental such private corporations are to the vision of digital identity enacted in Africa. On one level, if these collaborations are going to be taken for granted, parameters and means of oversight should be clarified. At the same time, given the security risks and the worrisome possibilities of public-private data sharing, this relationship should be carefully questioned and considered.
Closing thoughts: literacy and extractive capitalism
A few themes came out of this research that I want to highlight here, by way of a conclusion. Mostly, I want to point out the way plans for digital identity in Africa, as it’s proceeding now, risk replicating colonial logics and global inequality through developing African countries for resource extraction (capital, debt, data) in lieu of investing in more infrastructure, especially education but also much more basic things like street addresses and consistent electricity.
Literacy became one of the unexpected themes in my research. Literacy is one of the historical distinctions between Europe, settler societies (i.e., Canada, the US, Australia), and countries that were colonized by European powers. European and settler societies entered the modern industrial age as educated citizens — economically and racially stratified yet in principle democratic — while colonial societies entered the modern age in states set-up primarily to manage the extraction of resources for colonial powers. In colonial states, indigenous populations were treated as charges and manual laborers rather than citizens. In this context, literacy was unnecessary and superfluous to the implicit task of government (extraction of resources).
One of the main arguments for this technology in developing countries is that a low literacy rate makes signatures impractical as a universal mode of identification. In this sense, digital identity is posed as an innovative solution to bring developing countries into the 21st century. Breckenridge argues that, when viewed historically, the enthusiasm for digital identity is part of a shift in focus from civil registry — such as 20th century campaigns, in countries like Ghana, to register rural inhabitants as citizens — to banking. Again, this illustrates the hopeful promise of digital identity (among banking industry professionals, as least) to formalize Africa’s immense informal economy. But Breckenridge sees this shift as emphasizing the needs, hopes, and promises of banking as a means of development at the expense of the benefits offered by civil registration as a means of development, through allowing citizens to access state resources. He argues that the distinction is driven primarily by a desire for profit. “Biometric identification is following the money,” he writes.
Besides banking, there is clearly money to be made in this industry through the corporate contracts alone. A handful of private companies have cornered the market on digital identity or biometric identification systems in Africa. The Ghana Card is following a common model that is marketed, produced, and managed by a few companies (e.g., Net1 UEPS; Sagem — later renamed Morpho). This system, developed by Net1 UEPS, was aimed at enrolling “the very poor, illiterate people who ‘are not going to remember the pin number on a card’” (quoting the French founder of Net1 UEPS). These companies specialize in creating biometric identification systems for “under-banked” populations of developing countries. The model includes a barcoded card, a centralized fingerprint database, mobile registration teams sent out into rural areas to collect the biometric data, and (again, quoting Breckenridge on the E-Zwich) “the identical pattern of failure as the financial and administrative costs of delivering nation-wide registration mounted.”¹⁵ Yet, as in the case of the Ghana Card, these companies continue to win contracts, paid for by loans by the WHO and the US (that, to state the obvious, leave Ghana in debt). Given all of the challenges and possibilities laid out here, it’s not clear if, or how much, typical Africans will gain in these scenarios.
While biometric passports are in use in North America and the EU (and not without some criticism), wealthy North Atlantic countries have resisted the wholesale adoption of biometric identification systems, e.g., biometric voting. It’s easy to imagine how the American electorate/political radio/twittersphere would react if a proposal for mandatory iris scans in voting booths or at the bank were to be introduced in the US Congress. We have to ask, why do wealthy countries view these technologies as dangerous or creepy while developing countries view them as acceptable? Is this simply a question of perceived risk relative to perceived gain? (I.e., they have more to gain so are willing to take the risk?) Or is the negative view of biometric identification peculiar to the US where wariness of government overreach runs deep?
I don’t have easy answers to these questions but judging from my reading, I think the distinction between colonizing, colonized, and settler-colonial societies is relevant here. These divergent — but deeply entangled — histories set in motion very different relationships to the global economy and the modern state. If we’re going to honestly evaluate the ethical and political ramifications of these technologies, we have to consider how they build on or reinstate inequalities in global power and wealth and the potential for oppressive state governance.
[1] Solomon, Brett. “Digital IDs Are More Dangerous Than You Think.” Wired. September 28, 2018. https://www.wired.com/story/digital-ids-are-more-dangerous-than-you-think/
[2] “Mandatory National IDs and Biometric Databases.” Electronic Frontier Foundation. Accessed January 10, 2019. https://www.eff.org/issues/national-ids
[3] “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret.” The New York Times, Dec. 10, 2018. https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html
[4] “Mandatory National IDs and Biometric Databases.”
[5] Zuboff, Shoshana. The age of surveillance capitalism: the fight for the future at the new frontier of power. London: Profile Books 2018.
[6] Lyon, David. “Surveillance Capitalism, Surveillance Culture and Data Politics.” In Data Politics: Worlds, Subjects, Rights. Edited by D. Bigo, E. Isin, and E. Ruppert, forthcoming, p. 10. London, Routledge, 2019.
[7] “Mandatory National IDs and Biometric Databases.”
[8] Panday, Jyoti. “Can India’s Biometric Identity Program Aadhaar Be Fixed?” Electronic Frontier Foundation. February 27, 2018. https://www.eff.org/deeplinks/2018/02/can-indias-aadhaar-biometric-identity-program-be-fixed. Also see: Safi, Michael. “Indian court upholds legality of world’s largest biometric database.” The Guardian. September 26, 2018. https://www.theguardian.com/world/2018/sep/26/indian-court-upholds-legality-of-worlds-largest-biometric-database
[9] If you are asking, But how can biometric identification be falsified?, here are some innovative examples. Beware: it can be gruesome.
[10] Doddington, George R. et al. “SHEEP, GOATS, LAMBS and WOLVES: a statistical analysis of speaker performance in the NIST 1998 speaker recognition evaluation.” ICSLP (1998).
[11] Sullivan, Clare. “Digital identity — From emergent legal concept to new reality.” Computer Law & Security Review 34 (2018): 724–725.
[12] Breckenridge, Kieth. “The World’s First Biometric Money: Ghana’s E-Zwich and the Contemporary Influence of South African Biometrics.” Africa 80, no. 4 (2010): p. 646.
[13] E.g., Sealy, Phil. “Get smart: why biometric cards will reshape the payments industry.” Biometric Technology Today. September 2018.
[14] Breckenridge, 2010, p. 642.
[15] Ibid., p. 648.
