The governance of digital public infrastructure: beyond technical standards

Reflections on the ID4Africa conference held in Cape Town, May 2024

In advance of this ID4Africa conference, with its focus on ‘digital identity as digital public infrastrcture’, I had written down some questions on which I’d like to gain new insights. Top of the list was to understand which international or regional standards those implementing digital identity systems in Africa are relying on in practice — and whether these include standards relating to the issues about which I am most concerned.

My own interest in identification systems comes from a background in research and advocacy on the right to a nationality and identity documents in national and international law, with a particular focus on African states. My usual discussion fora involve activists, policy-makers, lawyers, and scholars concerned with the discrimination that results in statelessness and rightlessness. Hearing from the ID4Africa participants represents an opportunity to get a very different perspective on some of the same challenges.

In particular, therefore, I was interested in understanding what might be the emerging best practices for resolving the status of those people whose legal status in a country is unclear; and more broadly the current state of play in the debates over governance of identification systems, beyond questions of data protection and privacy. These discussions are central to the questions highlighted by Emrys Schoemaker: what actually is ‘digital public infrastructure’? And how does a ‘DPI approach’ ensure that DPI is safe, inclusive and rights protecting?

Parallel conversations on standards

One of my principal take-aways from the meeting was how there are different conversations about standards that are taking place in parallel, with little crossover.

Most of the private sector and government participants — as well as those engaged in international policy from the more technical side — were focused on technical standards enabling interoperability. Those most referenced were the Open Standards Identity API (OSIA) developed by the Secure Identity Alliance and very recently adopted by the ITU, the mDoc standards evolving out of a US-developed standard for mobile driving licences, the W3C Verifiable Credentials Data Model, and the standards being developed by the OpenID Foundation.

As a subset of this discussion, there is an ongoing and unresolved tussle for top position on interoperability, between open standards and open source software (notably the Modular Open Source Identity Platform (MOSIP)). Based on the presentations at ID4Africa, the advocates for open standards seemed — compared to a few years ago — to be winning the battle for airtime over the advocates for open source as the foundation for digital public infrastructure. Perhaps this is not surprising given that the conference has such a substantial number of participants from the private sector. But I would have been interested to hear the pros and cons of the two approaches more openly and explicitly addressed, rather than kept to a passive-aggressive comment or two in presentations otherwise focused on different issues, or views from the stand-holders on the expo floor.

Those coming from a background in humanitarian assistance or human rights and child protection, meanwhile, were focused on legal, policy and technical standards relating to oversight and governance of identification systems. In particular, the presentation of the UNDP model governance framework for digital legal identity systems (in which I should declare I have an interest, as one of the authors), stood out as an effort to address a much wider set of issues than only the technical layers of interoperability. But, although their institutional authors used them as a reference point, nobody from the government or private sector mentioned this recently-published guidance (from 2023) — nor even the longer-standing but less-elaborated Principles on Identification for Sustainable Development developed by the World Bank and endorsed by a wide range of other institutions.

Questions from the audience posted in the conference Q&A app — presumably largely from the civil society representatives present — nonetheless constantly raised the broader issues of accountability and rights. For example, a strong Kenyan contingent asked questions about the ‘vetting’ process for national identity documents, and the high cost of the new digital identification systems (Huduma Namba, that has now become Maisha Namba), and the passing on of that cost in the form of recent fee hikes for access to identity documents. Perhaps inevitably, many of the more provocative questions around governance of digital identity were not selected for discussion with the panellists — notably one on alleged hijacking of the Gabonese electoral register. These incursions did little to disturb the dominant discourse on technical issues.

Identity and due process

One of the main focuses of my own writing in both policy and scholarly contexts has been the importance of due process in procedures for the resolution of unclear legal status in a country, if strengthened identification systems are not to do more harm than good. This sense was only reinforced by presentations at the conference.

In polls of participants launched by Joseph Atick, presiding genius of ID4Africa, on the first day of the conference, around 90% of those responding thought that digital identity systems should be linked to civil registration; 60% thought that digital identity should be linked to citizenship; and 89% agreed that possession of a national identity number or credential should be required to access public services.

When pushed by Joseph Atick on the dangers of exclusion created by this triad, government representatives mostly argued that making digital ID compulsory would ensure that it was universal. There appeared to be little systematic thought about solutions for the usual groups vulnerable to exclusion from identification because they are presumed to be non-citizens, even though they have no possibility of claiming any other citizenship — the cross-border or nomadic populations, the descendants of migrants with no identity documents of their own, the vulnerable children ….

A few government representatives (Rwanda, Liberia) mentioned the concept of ‘introducers’ for those with no existing identity document, to enable them to enrol in the system. There was also a note in the UNHCR-chaired parallel session on the last day of ‘standard operating procedures’ proposed for development by civil registration officials in Lesotho and Eswatini for the determination of the situation of children whose status as nationals was not clear at the time of birth registration. But there was no real focus on the need for best practice guidance in this area.

I would also have liked to see (but did not) an indication that those interested in the technical aspects of identification infrastructure were considering design steps to integrate systems for resolution of these cases into the digital identity systems themselves. For example, how can decision trees in the software propose a solution if a person does not have access to the expected information to be enrolled in the system – such as the identity documents of parents (or simply their identity, in case of a child abandoned as an infant or separated from family by displacement). The solutions for those of doubtful status will necessarily be analogue — involving the judgment of a legal authority competent in the case — but the digital environment could be designed to point to pathways for resolution rather than enabling the outcome that ‘computer says no’ without further recourse.

Digital wallets

I left the ID4Africa meeting with a much better idea of the concept of ‘digital wallets’ that enable a person to reveal only those elements of an identity that are relevant to the specific task in hand, whether it be age, or educational or professional qualifications, or vaccination status, or employment — or, indeed, citizenship. This concept does seem to have promise in addressing some of the main concerns around privacy and surveillance. In addition, the digital wallet discussion brought my favourite online question from the conference participants: Will Louis Vuitton produce an exclusive digital wallet?

But, as argued by Keren Weitzberg, the thinking about the design of such systems is relevant only for those in possession of a smartphone, and access also seems often to be restricted to assisting those who already have a government-recognised legal status. The presentation on the EU Digital Identity wallet, for example, indicated that the current regulation applies only to EU citizens and residents eligible for a national ID card. I conclude, once again, that there are no shortcuts or escape from the need to integrate the deeper issues of governance and human rights into the technical discussions.

—

My attendance at the conference was facilitated by the Caribou Digital project on Identity and Migration, funded by the Robert Bosch Foundation.