The digital identity toolkit

Biometric data is information about personal characteristics that are generally unique to an individual. These can be physical or behavioral. Physical biometric data may include, for example, one’s facial features, fingerprints, or iris patterns, while behavioral biometric data may include attributes such as gait, signature, or voice patterns. 

Most often, biometrics are used in digital ID systems as the primary mechanism for verifying a person’s legal identity. This can be dangerous, as most often an individual cannot change their biometric data, making it extremely sensitive and difficult to remedy in the case of a data breach. It can also be ineffective, since the identifying characteristics are not always immutable. For instance, a person’s gait, voice timbre, or face shape may change as they age, or a trans person may change their attributes typically associated with gender.

Digital ID systems often use a centralized database to store many different types of information about an individual. This can go beyond basic information from an ID card to also record a person’s interactions with different government agencies, service providers, and private companies. Consolidating large amounts of non-anonymized personal information creates a high-value target for hackers and increases the severity of data breaches, leading to harassment, identity theft, and data loss. This also means a single point of failure for the overall system should the database stop working. Multiple authorities typically have access to the centralized database, increasing the temptation for many actors to abuse the available data for surveillance or other purposes.

A proper data protection framework is used to help guarantee that people have control and agency over their personal information, and that public and private organizations collecting personal data are held accountable for its protection and proper use. This framework should include the principles of consent, lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. Without such a framework in place, a digital ID system is likely to be overreaching in its initial design and implementation, and also to proliferate over time well beyond its initial purpose, exposing people to further risk.

A digital ID system is mandatory when it becomes, by law or by practice, the only way for a person to provide proof of their legal identity. In many so-called “foundational” ID systems, the digital ID becomes the only trusted source of basic identity information between a person and the government or authority that requires the authentication of that identity, thus replacing any previously existing mechanisms to prove someone’s identity, such as paper-based identification, if they existed before. For a digital ID system to be non-mandatory, there must always be analog alternatives in place. 

While all mandatory digital systems are dangerous, there is an additional layer of human rights harm when a system mandates collection of biometric data, since this represents the forced digitization of the human body and loss of bodily autonomy.

A digital ID system introduces exclusion by design when the way the system operates, how it is used, or the types of behaviors it encourages result in certain individuals or communities being unable to safely and effectively participate in that system. Sometimes systems are explicitly designed to exclude (e.g. a system that is meant to recognize, surveil, or prosecute a certain category of people, such as ethnic populations, immigrants or refugees, or women), while other systems exclude as an unintended or negligent consequence of poor design (e.g. a system that disallows the election of gender identity).

Before implementing any digital ID system, all relevant stakeholders, including government, companies, and international financial institutions, should undergo thorough, independent human rights impact and data protection impact assessments to identify, assess, and address any potential harms the system may cause or exacerbate. In all cases, such assessments should be undertaken in close collaboration with a diverse cross-section of civil society and at-risk communities. Failing to evaluate potential human rights risks early in the design and development process, and to maintain those assessments throughout the system’s life cycle, will very likely result in serious harms that are difficult to reverse later on.

Every digital ID system should include effective mechanisms for remedying violations of international human rights and international humanitarian law, including the right to equal and effective access to justice; adequate, effective, and prompt reparation for harms suffered; and access to relevant information concerning violations and reparation mechanisms. Not having access to effective judicial remedy – including reparation, restitution, compensation, satisfaction, rehabilitation, and guarantees of non-repetition, as applicable – perpetuates human rights violations and goes against the international legal principles of accountability, justice, and the rule of law.

Even the most highly safeguarded systems will see human rights issues arise, and in all cases, where victims are not able to hold perpetrators of human rights violations to account, they are more likely to continue.

Digital ID systems, particularly those using biometric recognition, are not always accessible for people with disabilities, older people, or people whose fingerprints or other biometric indicators have been eroded or deformed, because they often face complications both at the time of collection and at the time of authentication. Likewise, the collection of biometric measurements can be an intrusive procedure to people’s bodies, which can severely impact people who have intellectual or developmental disabilities, as well as any disorders that affect how the brain processes or interprets information from the senses.

Digital ID systems deployed in opaque and unaccountable ways can harm individuals and exacerbate pre-existing biases. All opaque systems that impact people’s access to human rights have the potential to be invasive, biased, unfair, and manipulative, and to pose threats to data privacy and other democratic values like autonomy, fairness, and transparency.

Systems that are designed and developed behind closed doors, with little to no public consultation or meaningful engagement from civil society, are opaque by default. Often, the procurement of these systems is also opaque, with no available information on technical standards and technologies that are being used, and even without the procurement process itself being open.

When ID systems enroll people under conditions that do not allow for meaningful informed consent, then that consent is invalid and therefore void. This happens, for instance, when collecting biometric data from children, but also when enrolling people who do not have access to alternatives that do not imply a significant harm or expense, such as refugees or impoverished people who require a digital ID to access subsidies.

Certain technologies (e.g. biometric recognition) used to identify individuals and collect their personal data – as well as those systems’ legal and technical infrastructure – facilitate overreaching surveillance. Practices such as categorization of bodies, cataloging of ethnicities, or tracking of people’s movements all bring consequences for freedom of speech, privacy, and ultimately people’s autonomy, damaging the fabric of democratic society.

Surveillance linked to someone’s legal identity – and therefore their relationship with a state, their standing in society, and their ability to gain access to welfare, healthcare, and other basic services – is highly invasive, undermines their ability to fully and meaningfully engage in society without fear of repercussions, and deepens existing discrimination and inequities.

Through every stage of their design, development, and implementation, digital ID systems can easily amplify existing forms of discrimination or introduce new ones. When a system does not properly account for the needs of a specific community, they are likely to be left behind – cut off from essential services, forced to overcome additional barriers, and confronted with difficult tradeoffs between being treated with dignity and being granted access to their rights. At its worst, discriminatory functions are built into the system intentionally, putting people at even greater risk of serious harm, ranging from targeted surveillance, detention, and deportation to denial of services, forced misgendering, and more.

The use of certain technologies that force people into the digitization of their bodies and the storage of data about them in places over which they cannot exercise full control – particularly in places where these systems are used for the distribution of public assistance or welfare – can be an attack on autonomy, human dignity, and bodily integrity, treating data about the body as something that can and must be traded to access other fundamental rights.

Digital ID systems often require individuals to misidentify themselves in order to access a certain place, service, or action. For instance, someone who identifies as nonbinary might be required by the system to identify either as male or female. By forcing a choice between maintaining one’s full identity or accessing basic rights and services, the system undermines the person’s ability to navigate the world with autonomy and dignity. These artificial constraints marginalize people, deter their participation in society, and further classify them as “invalid.” They also introduce collection of sensitive data that is typically not necessary for the system to function properly.

Digital ID systems – often deployed by governments with the stated purpose of improving access to public services, especially those linked to welfare and financial aid – can introduce barriers to access for the people most in need. A person may be cut off from accessing services through the digital system because they lack meaningful access to technology, because they have specific attributes or experiences that prevent them from easily interacting with the system, or because the system exacerbates existing models of exclusion or disenfranchisement. The immediate and compounding harms of being denied access to basic public services like water, housing, healthcare, or education are almost beyond measure, pushing vulnerable people deeper into the margins and making it impossible for them to climb out.

Digital ID system databases – particularly when centralized – can pose one of the biggest dangers possible to people’s privacy. These systems often assemble excessively comprehensive profiles of personal data, with each additional data point adding another layer of risk. Around the world, leaks and hacks of these databases have led to missing data, stolen identities, fraud, and many other types of physical and mental harm that fall entirely out of affected people’s control. Matters are only made worse where there is no meaningful legal framework for data protection, leaving people with limited options to recover their losses.

When designing a digital ID system, it is necessary to consider not only its possible consequences and goals, as well as the needs for its development and rollout, but also how it will be maintained over time – an aspect proponents of these systems often overlook. This oversight is especially damaging in countries that don’t have the underlying resources to keep a consuming system properly working, leading to breakdowns in the system’s infrastructure and disruptions to access. This can make the situation worse than before the system was installed, especially once other processes have adapted to identification working digitally.

Governments tend to prefer a centralized approach that involves a unique identifier number that can track an individual across different services, since such systems provide governments much more information about their populations, leading to heightened risk of surveillance, discrimination, and data insecurity. Decentralized databases can take many different approaches and many different technological structures, and not all of them are ideal. But when designed carefully – considering accessibility, technical viability, service delivery, and other key factors – a decentralized approach can grant people greater access to and control over their data and provide a stronger framework for managing data sharing and preventing leaks.

To ensure human rights are protected, governments should have a strong, fully operational data protection framework in place before adopting any kind of digital ID system. Many countries still don’t have such a framework, and thus do not have even the most basic protections required for building a rights-respecting digital ID system. The minimum data protection framework necessary would include, at the very least, eight principles: consent; lawfulness, fairness, and transparency; limitation of purpose; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

Although it has become normalized, the collection of biometric information is a very delicate process that can affect a wide range of fundamental rights. Collecting biometric information is rarely justified, and biometrics are not necessary or appropriate in all contexts. For example, in certain scenarios, multi-modal biometrics might give individuals more flexibility to choose which data they want to provide, but more often they deepen problems by requiring several types of biometric data simultaneously. In any circumstance, individuals who cannot provide meaningful consent over their bodies, such as children, should never be required to provide biometric information. Biometric data should also always be safely discarded as soon as the biometric templates are created in a way that does not allow the data to be restored to its original form.

Before a digital ID system is rolled out, the administering government should have clear safeguards in place to protect the confidentiality, integrity, and availability of the system and its data. These safeguards should be comprehensive, integrating a wide range of different measures – including, for example, security protocols for data, devices, and physical structures and clear limits to staff privileges and access to data. Safeguards should also protect against errors like duplicate identities or repeated identifiers, alterations or other unauthorized changes to the data, and data misuse. In parallel, strong accountability mechanisms must hold system administrators responsible when issues arise and lead to corrections to avoid the same problems going forward. Such processes are essential for protecting individuals’ fundamental rights as they engage with the system, and for upholding the trust necessary to allow the digital ID system to effectively function.

When a person’s human rights have been violated, they are entitled to remedy – meaning access to justice, some form of reparation or redress (such as monetary compensation), and rehabilitation. Likewise, all digital ID systems should include pathways for addressing any human rights harms they may cause from the outset. Clear, accessible mechanisms for remedy and redress empower individuals and communities to exercise control over the system and hold its administrators accountable, as well as to obtain compensation for damages they have suffered. In addition to a clear legal foundation for the redress mechanism, people also need to have easy access to information regarding how to present and follow up on a request, and authorities must provide a timely, just response.

One of the most fundamental principles of data protection is data minimization – which means a system should only collect and retain the minimum amount of data necessary to perform its intended function. Despite this, digital ID systems tend to encompass a large number of data points, such as someone’s address, gender/sex markers, citizenship status, ethnicity, etc. In most cases, governments claim many of the data points collected by digital ID systems that aren’t strictly necessary for verifying someone’s identity are still necessary for statistical purposes. However, this type of data should be collected by means of a population census and should be anonymized and safeguarded in ways that prevent any data from being traced back to a specific respondent. Most of this information is not needed for any specific interaction with the state, or can be provided on an as-needed basis, and should not be incorporated into a digital ID system.

Individuals can only provide real consent to the collection and processing of their data in a digital ID system when they have a feasible alternative available and refusing to participate in the system is a viable option. There should always be easy and accessible mechanisms to either opt in or opt out of a specific system or parts of it. In particular, every digital ID system should have one or several analog alternatives available. Digital ID should never be understood as a synonym of legal identity, but rather only as a way of proving the relationship between a person and a state or similar institution. The fundamental right to a legal identity should always allow for a diversity of ways to prove it, both through analog and digital means, and any identity system should always presume the good faith of people as well as their being entitled to fundamental human rights even in absence of proof.

In many cases, governments that have invested in the development of a digital ID system continuously seek out opportunities to expand its use, even to interactions that should not require any type of identification (e.g. simple commercial transactions, access to public WiFi networks provided by the state, or public healthcare services). When designing a system, there should be careful consideration regarding whether the authentication of a person should be required to allow them access to a specific service. Many services, both public and private, can be provided without knowing a person’s identity, and therefore should be made available as anonymously as possible. In other scenarios, such as healthcare (particularly reproductive healthcare), the characteristics of the information required are such that it should only be required by the provider itself and not stored in a centralized database along with other types of personal information.

To build a well-functioning and trustworthy digital ID system, a government must be transparent and engaged with the people and communities the system is likely to impact. Transparency in the process should start the minute a government is even considering replacing or implementing a digital ID system and continue every step of the way, particularly during the procurement process and after implementation. Governments and other stakeholders cannot achieve transparency by merely sharing information about decisions they’ve already made, publicly promoting the system, or holding cursory “consultations” with civil society that will not meaningfully shape the process.