Digital Identities: Mitigating Risks for Technologically Enhanced Governance

Ashley Fox, Benjamin Seebaugh, and Eliana Sherwood

December 2019

Introduction: What are E-identities?

The concept of a digital identity—what it is and its uses—is still evolving as society and governments attempt to keep pace with rapidly changing technology. Initially, the Internet was not designed to identify users. The entire system was built off an assumption of anonymity. Although machines that use the Internet can be identified through their IP addresses, there is still no prescribed way to identify the person using that machine. As the Internet has expanded, the lack of a universal identification system has created severe problems around the globe for citizens and governments alike. Beyond that, many opportunities to harness the strengths of digital identities have been left untapped.

Over the last several decades, more aspects of daily life have become digitized and moved to online platforms. From banking to communication systems and even healthcare, the Internet has quickly become a hub for almost every activity. The ever-increasing uses for the Internet in our everyday lives have led to the development of digital identities. “A person’s digital identity is an amalgamation of any and all attributes and information available online that can bind a persona to a physical person…Today, digital identity is based on what information people share about themselves, what information exists about them in publicly available databases, where they are located, what their browsing habits are, etc.”[1]. Yet, this description of a digital identity is still vague, and much debated by governments and companies around the world as they compete to find a definitive and authoritative solution to the current internet-era identity predicament.

The Benefits

Refugees and displaced people

Despite many challenges governments will face due to the increased usage of digital identities in the coming years, there are clear benefits that can be gained. Many countries in Europe and the Middle East are currently taking in unprecedented numbers of refugees, which has had a severe impact on the overall economic health of these countries as they struggle to support the infrastructure that is required to support this influx of people.

Giving refugees digital identities for the country in which they live could allow them to integrate into their new home much more smoothly. Many refugees have no form of identification from their home country, and many children who are born while their parents are refugees are left in a state of limbo with no legal identity. “These missing identities, especially for those children born in transitory states, could find legitimate identification on the blockchain. Blockchain-based identity verification would not only give refugees access to secure, verifiable identities but could also be transferred anywhere. Unlike current digital identity protocols, those built on the blockchain are not tethered to a single program or system.”[2] This lack of identity is noteworthy because refugees tend to move frequently, and currently, there are no reputable overarching systems to track their personal information or identification.

Increased voting access and participation

In recent years there has been a growing effort to utilize digital identities to increase voter turnout and participation. Worldwide, many recent elections have highlighted the obstacles of traditional voting, most significantly a lack of accessibility, problematic voter ID laws, and human error involved in mailing and manually counting paper ballots. These complications create issues with individual-level voting but also create public distrust in the outcome of the vote.[3] Utilizing digital identities through blockchain would ensure both anonymous and secure voting for millions of people. It also enables those who were previously unable to reach polling stations to vote on their laptops or smartphones. Estonia has already utilized this system, resulting in an increase in online voter turnout from 1.9% in 2005 to 30.5% in 2015.[4]

Medical records

In many countries, patient records are kept on paper-based systems or held in entirely separate online systems that don’t communicate with each other. This makes the aggregation of patient data and, by extension, the administration of effective and efficient healthcare extremely complicated. In recent years, some countries have begun to adopt “e-health” platforms, and as of 2016, approximately 47% of countries have implemented some form of electronic health records (EHRs). Utilizing digital identities for patients through these EHRs would allow for a secure transfer of patient information to “improve the quality of treatment, reduce administrative burdens for patients, facilitate access to insurance, reduce fraud, and improve data collection,” and would also allow counties to develop better public health policies.[5]

The Challenges

Although the list of beneficial uses of e-identities continues to grow, many within the digital security community warn against the potential risks of widespread proliferation. In this section, we will discuss some of the ongoing challenges—from identity theft to strengthening authoritarian control—presented by digital identities.

Mass surveillance and strengthened authoritarianism

As governments seek to streamline services for their citizens through the expansion of e-identities, they are running headfirst into a potential human rights crisis. With the increased access to digital identification comes increased tracking of those who are using these online identities. Over time, biometric data collection and analysis, such as facial recognition software, has grown more sophisticated.[6] Pairing centralized biometric databases with highly advanced recognition software and digital identities creates a perfect opportunity to track citizens and other digital identity users in real-time.[7] This sort of centralized data collection and monitoring can easily be used to violate civil rights. In the wrong hands, such capabilities could be used to concentrate power further and help authoritarian governments track and capture dissidents, suppress protest movements, and make it generally harder for citizens to take back control.[8]

Hacking, identity theft, and fraud

The rise of digital technology has brought with it new and widespread security issues. Reports of data breaches and significant hacking incidents involving prominent retail, financial, and even government databases have been on the rise in recent years. With digital identities and relevant identifiable data stored in centralized databases, the risk of compromise is very real.

In 2007, Estonia faced what has been often referred to as the world’s first cyberwar. After the relocation of a Soviet war memorial in Tallinn to a less prominent location, the country’s entire web infrastructure—websites for parliament, banks, newspapers, and ministries—was suddenly taken offline, leaving large parts of the country “at a standstill.”[9] Though it has never been confirmed, the barrage of cyberattacks was traced back to Russia and have primarily been believed to be a Kremlin-sponsored event.[10] Nevertheless, the unexpected cyber crisis served as a significant wake-up call on the vulnerability of centralized digital databases and the critical need for cyber defense mechanisms worldwide.

Ten years later, in August of 2017, Estonia faced another compromise when it realized that every private authentication key generated for its eID cards was vulnerable to hacking due to a flawed centralized library system. Until the government discovered this vulnerability, more than 800,000 eID cardholders were at risk for having sensitive information, including digital signatures used for voting and legal documents, stolen.[11] Despite vast security improvements over the ten years between the first and second incidents, vulnerabilities to hacking continue to haunt one of the most advanced digital societies to date.

Analysis: Do the benefits outweigh the challenges?

As technology progresses and digital dependence spreads widely across the globe, concerns for privacy, security, and equitable access will continue to sit at the fore of conversations surrounding digital identities. Critics of the proliferation of e-identities are rightfully concerned about the potential human rights violations, the high susceptibility to foreign interference or hacking, and the general lack of regulation surrounding the centralized collection and use of private data. However, as laid out earlier in this paper, there are some legitimate and universally beneficial uses for digital identities. In war-torn regions, where hundreds of thousands of people are displaced, a digital identity could serve as a starting block for helping families get back on their feet. As concerns grow regarding election security in democratic and transitioning countries around the globe, e-identities provide a solution to many of the traditional barriers to secure implementation, voter access, and turnout.

The world is growing more digitally dependent by the minute, and digital identities seem to be inevitable. With major global institutions, the World Bank and the United Nations, aiming for universal adoption of legal digital identities within the next decade and numerous countries already adopting their own e-identity goals, digital identities are not a matter of if but a matter of when.[12] As with any new transformational technology, there will be challenges. However, these challenges are not unmanageable and should not be prioritized as reasons to avoid the implementation of something that can provide a net good for a global society. In conjunction with sound, comprehensive, and technical regulation, the benefits of digital identities almost certainly outweigh the potential challenges, and it will be up to policymakers to ensure safe implementation.

Looking Forward: Mitigating the Risks

Blockchain

Maintaining data integrity is one of the primary concerns relating to the rollout of such a substantial infrastructural change. This can be addressed by utilizing blockchain methodology, as mentioned above. Although “blockchain” has become a bit of a buzzword, it can most simply be characterized as weaving a community tapestry in which each person makes a loop, and then passes the thread along to the next person. With a continuous cycle of weavers on the loom, no individual can amend the tapestry without being noticed. In this way, we know who makes every stitch, and if something is out of place, then the community rejects that bit of the fabric. For further explanation, please see Figure 1 below.

Cyber Commands

With this in mind, one might reasonably ask next how that data within the digital tapestry is kept safe. In the current age of identity theft overpowering bank heists and home invasions, it seems plausible that such a robust dataset would be a high-value target. While this is true, it’s also true that the governments of the major world powers are the most adept cybersecurity forces on earth. These governments possess ample tools to track such activities, identify threat actors, learn their methods, patch the vulnerabilities they exploit, and even predict their next targets. Although we’ll never be able to eradicate criminality overall, cybercrime always leaves a paper trail, and tracking down that evidence can lead to the prevention of other such attacks from ever occurring. Accordingly, policymakers must continue to fund cybersecurity staff and resources to ensure that government work is as appealing as the private sector.

Distributed Data Servers

Knowing now that digital tapestries are uneditable and nearly impenetrable, one may ask how we can guarantee that they won’t be erased. Indeed, many malware and so-called ransomware attacks have occurred against corporate and government entities alike – sometimes with disastrous consequences.[13] Nevertheless, those painful lessons have resulted in equally essential learning outcomes. The answer to assuaging vulnerabilities lies in distributing data servers across a variety of geographical and political locations. Thus, if one data center is eliminated through an act of human or nature, the same data remains available across hundreds of locations around the world. Many are also intentionally disconnected from the Internet after regular to protect against an event in which malware infects the entire network and causes catastrophic data loss. The archived data on the isolated servers can be quickly re-uploaded once the system is back online to re-supply the information with minimal damage.

User Identity Verification

Another way in which we have learned from past mistakes is to integrate analog trust measures alongside the digital infrastructure. In much the same way that nuclear launch codes require several individuals to access hard-copy information and confirm their intentions, a similar methodology can be replicated for sensitive transactions. For example, after sophisticated cyberattacks on a bank in which the users were lured into believing that they were sending sensitive data to colleagues, a policy has emerged in which specific “keys” written on paper must be hand-delivered to the intended recipient.[14] Unique biometric data such as fingerprints or optical scans can also be strong user identifiers to prevent attacks like phishing. This blend of contemporary and classic data-security techniques is yet another failsafe to protect that which we hold most dear.

Overall, there are scores of additional security measures that governments can take to secure this data. The items herein serve to provide just an overview of the techniques our most brilliant cyber operators have developed to prevent modern crime and catastrophe. Some technological thinkers have even suggested that there are a finite number of ways to “break” firewalls, and eventually, we may be able to build a truly impenetrable system.[15] Although some disagree, the truth remains that all current and past methodologies are equally as vulnerable, if not more so.

Imagine a system more secure than Fort Knox. Consider a data vault so advanced that – even if it were penetrated – all of the assets could be instantly encrypted and transferred to another equally secure Fort Knox around the world among hundreds of Forts Knox. As we continue to improve these technologies and learn from the innovators that have gone first, we can strive to ensure that each iteration is more secure than the last. But, to really spearhead this advancement, policymakers must be willing to take the first steps toward investment and exploration in this life-saving field.

Conclusion

Policymakers face a major hurdle in gaining acceptance for e-identity systems--both among their peers and constituents. This hurdle will require acknowledgment from a critical mass of people that the benefits of such a system outweigh the risks. Although it may seem like an impossible task (especially for larger nations), we must all accept that this is the inevitable future of e-governance. To that end, the leaders of today can show that the risks have been measured, and they can be mitigated with proper tools, staff, and policy controls to preserve civil rights. Learning from the pioneering examples mentioned above, we can cite successful pilots which demonstrate that for every cost, there is a benefit, and for every threat, there is a countermeasure.

[1] Avi Turgeman, “Council Post: Demystifying Digital Identity: What It Is, What It Isn’t And What It Can Be,” Forbes Technology Council, November 15, 2018, https://www.forbes.com/sites/forbestechcouncil/2018/11/15/demystifying-digital-identity-what-it-is-what-it-isnt-and-what-it-can-be/#5bdab87f2af1.

[2] Colin Harper, “World Refugee Day: How Digital Identities Can Help a Population In...,” Bitcoin Magazine, June 20, 2018, https://bitcoinmagazine.com/articles/world-refugee-day-how-digital-identities-can-help-population-crisis,

[3] Jordan Hall, “Can Blockchain Technology Solve Voting Issues?,” Nasdaq.com, Bitcoin Magazine, March 7, 2018, https://www.nasdaq.com/articles/can-blockchain-technology-solve-voting-issues-2018-03-07.

[4] “Estonia’s i-Voting: More Secure, More Popular,” e-Estonia, September 25, 2017, https://e-estonia.com/estonias-i-voting-more-popular-more-secure/.

[5] World Bank.

[6] Peter Trepp, “How Face Recognition Evolved Using Artificial Intelligence,” FaceFirst Face Recognition Software (blog), February 28, 2019, https://www.facefirst.com/blog/how-face-recognition-evolved-using-artificial-intelligence/.

[7] Brett Solomon, “Digital IDs Are More Dangerous Than You Think,” Wired, September 28, 2018, https://www.wired.com/story/digital-ids-are-more-dangerous-than-you-think/.

[8] Justin Sherman, “Digital Authoritarianism and the Threat to Global Democracy,” Bulletin of the Atomic Scientists (blog), July 25, 2019, https://thebulletin.org/2019/07/digital-authoritarianism-and-the-threat-to-global-democracy/.

[9] Elizabeth Schulze, “When This Country Faced a Suspected Russian Cyberattack – It Took Some Big Steps to Stop Another,” CNBC, September 21, 2018, https://www.cnbc.com/2018/09/21/when-this-country-faced-a-suspected-russian-cyberattack--it-took-some-big-steps-to-stop-another.html.

[10] “A Look at Estonia’s Cyber Attack in 2007,” msnbc.com, July 8, 2009, http://www.nbcnews.com/id/31801246/ns/technology_and_science-security/t/look-estonias-cyber-attack/.

[11] “What We Learned from the EID Card Security Risk?,” e-Estonia, May 14, 2018, https://e-estonia.com/card-security-risk/.

[12] “Top 5 Digital ID Trends Shaping 2020 (and Beyond),” accessed December 5, 2019, https://www.gemalto.com/govt/identity/digital-identity-services/trends.