Work permit: citizen’s data at a crossroads

Brazilian work permit— photo credit: Wikimedia Commons

This piece is part of the Identity and Internet Series, written by Yasodara Cordova of Harvard Kennedy School and Coding Rights, a member of the Privacy International Network. It does not necessarily reflect the views or position of Privacy International.

Original in Portuguese:

The work permit is the oldest and most visible form of mandatory documentation for those working under Brazilian labour laws. Receiving one is cause for celebration upon landing a job. However, it hides a web of intertwining databases that start and end on the Internet.

The work permit establishes the worker’s relationship with the fourth largest bank in Latin America: Caixa Econômica. This relationship has been compulsory since 1943, with the approval of the Consolidation of Labour Laws (Decree-Law 5452/43), which established the social security contributions and union contributions collected by Caixa. The law states that everyone working under the law should have a Caixa account.

Just as the Internet has changed people’s way of relating to news, it has also modified labour relations. The government demands a list of identity numbers from a worker as a condition for receiving social benefits. As such, it registers the employees at a pool of different institutions, spreading data through an entire chain of platforms, all of them with their own weaknesses and potential risks. This ‘salad’ of numbers should receive more attention by public bodies.

The numbers salad

To understand the complexity of the system, it is important to understand the relationship between the numbers and why there are numerous different systems and databases. The numbers are:

  1. 1) The NIS (Número de Identificação Social) This is primarily used by the Severance Indemnity Fund for employees (FGTS, or Fundo de Garantia por Tempo de Servico).
  2. 2) PIS (Programa de Integração Social) When someone becomes an employee, the NIS becomes the PIS. The PIS represents the relationship between an employee and their private sector employer. It is also paid through the Econômica, which creates the PIS and NIS.
  3. 3) NIT ↣ Worker Identification Number: This is an ID number that the self-employed use to pay their quota in the social security system (INSS) and obtain benefits. Unemployment and retirement insurance also depend on this number. The National Institute of Social Security manages this database.
  4. 4) Worker’s number: This is the registry number that is printed in the document, following the barcode.

This collection of identifiers for access impacts negatively on efficiency. As already presented in this series, this data is not secure. In fact, it is readily available to be consulted on the web or by request, as they are considered public documents.

Digital work permit: the fraud-ending promise that went wrong

The Digital Work Permit was launched in 2015 as a crusade against fraud. But, like its traditional analogue version, the digital surrogate has repeated the same errors. The biggest difference between the two, apart from the format, is the digital barcode.

With that exception, little has changed regarding the ecosystem for citizen protection. In the case of the work permit, the situation is even worse because it involves many vulnerable Brazilians, such as minimum wage recipients. The system does not prevent fraud, but because it is digital, it reinforces a false sense of trust, making the new version look more reliable.

The system that collects biometric data for the permit was developed by a private company, hired for an expedited contract outside of public bidding. When something like this happens, it prejudices the independent organisations that are interested in auditing the systems. Also, as the technical requirements are not transparent, citizens cannot know how the data is being stored, or if there are minimum requirements to secure it.

Today, there are more than 60 million work permit documents, and most them still belong to the analogue model. The first attempt to implement the digital version involved issuing new identification cards, to give access to information about the citizen’s circumstances in the systems related to Caixa Econômica and the INSS. It was unsuccessful and the card was discontinued. In many states, the distribution of the digital work permit was suspended due to system failures in the issuance. The barcode technology was meant to deter fraud; however, it fails as an authentication and authorisation method because it is easy to copy and re-print.

How many personas can you create?

This section will discuss the ease of creating fraudulent versions of official documents. The objective is to draw attention to a situation that already exists and is commonplace. Producing false documents or passing as another person is a crime, and is punishable by arrest and fine.

An official image capture kit with biometrics extraction can be purchased online for less than $5,000 reais. Anyone can buy this kit and create a work permit in a garage, which shows that the fraud prevention argument has been overrated since the beginning. With equipment such as a CTPS kit, a printer and a basic computer, documents with real numbers from real people can be generated. Given the carefree publication of citizens’ data, it is easy to retrieve this information.

Through the Dataprev website, an individual in possession of an NIS number can access additional data from other citizens. On Caixa’s website, if someone has a) the full name of the affiliate; b) their date of birth and c) their CPF number, they can obtain their NIS or PIS. The system is also vulnerable to more sophisticated methods, such as Keylogging (when the password is obtained with a malicious file sent to the user).

The ecosystem, the ECOSYSTEM!

Some documents and data should not be public. Unfortunately, in Brazil, progress in transparency policies has not been accompanied by policies focusing on security and the protection of human rights, such as the right to privacy. Internet integration needs the assurance of citizen protection. The approval of the Data Protection law is urgent and should be a guideline to think about e-government, to reflect on the ecosystem of public data, and to guarantee transparency coupled with respect for citizens’ privacy.

Several of Brazil’s laws around public money transfers did not consider the premise of protecting more vulnerable citizens, such as the law that created the Bolsa Família Programme, which grants mandatory public access to the list of beneficiaries, with the respective amounts transferred. Public access means that these payments are published on the the Caixa Econômica website and the Transparency Portal online.

Other technological alternatives should be considered for the extraction, distribution, and inter-operability of data. Government digital policies regarding freedom of expression and the privacy rights of Brazilians are being neglected, despite the value that is spent on maintaining government websites and systems. The state must pass a law that protects vulnerable citizens from having their data published without criteria.