91249 Digital Identity Toolkit A GUIDE FOR STAKEHOLDERS IN AFRICA June 2014 Table of Contents Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Section I: Overview – Identity Matters I.1 Identification is Necessary for Modern Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 I.2 Digital Identity as a Platform for National Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 I.3 Digital Identity is Growing in Developing Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Section II: How Identity Management Works II.1 Identity as a Set of Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 II.2 Identity Lifecycle: Registration, Issuance, and Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 II.3 Registration: Enrollment and Certification that Identity is Authentic . . . . . . . . . . . . . . . . . . . . . . . . 9 II.4 Issuance: Providing a Credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 II.5 Use: Authentication and Updating of an Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Section III: Developing a Digital Identity Program III.1 Policy and Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 III.2 Institutional Framework and Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 III.3 Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 III.4 Trust, Privacy, and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 III.5 Operational Processes and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Section IV: Policy Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Acknowledgments This report was prepared by Joseph J. Atick, PhD (Chairman, Identity Counsel International) and Zaid Safdar (Task Team Leader, World Bank), with inputs from Alan Gelb (Center for Global Development), Elena Gasol Ramos (World Bank), and Seda Pahlavooni (World Bank). The work was conducted under the management of Randeep Sudan (Sector Manager, ICT), Mavis Ampah (Program Coordinator, ICT Africa), and Samia Melhem (Chair, DigDev CoP) of the World Bank. The team is grateful to the Government of France for its financial contribution, which has made this project possible. The report additionally benefited from a background note and extensive work done by PricewaterhouseCoopers (PwC) of South Africa. We wish to thank Véronique Massenet of the Government of France; Alain Ducass of Adetef; Frank Leyman of IDM Expert Group; and Robert Palacios, James Neumann, Harish Natarajan, Balakrishnan Mahadevan, Tenzin Norbhu, Mariana Dahan, and Kaoru Kimura of the World Bank for their helpful feedback and comments. We wish to thank the Translation & Interpretation Unit (GSDTI) of the World Bank for the Editing of the Toolkit and Manuella Lea Palmioli (GSDTI) for the cover design. The team also wishes to thank Tasneem Rais and  Michele Ralisoa Noro of the World Bank for managing the publication of the report. Acknowledgments v Executive Summary Digital identity, or electronic identity (eID), offers 6.5 billion mobile phone users in the world today,2 moile developing nations a unique opportunity to acceler- phones and the Internet are the widest channels for ate the pace of their national progress. It changes the service delivery. By 2013, 67.4 percent of Sub-Saharan way services are delivered, helps grow a country’s dig- Africans had a mobile phone subscription, total- ital economy, and supports effective safety nets for ing 614 million mobile phone subscriptions.3 Today, disadvantaged and impoverished populations. Digital 8.5 percent of Africans are using smart mobile devices, identity is a platform that transcends economic and such as smartphones or tablets, totaling 77 million users.4 social sectors and contributes to enhancing a country’s Though digital identity is an opportunity, it raises political environment. For some, digital identity is a important considerations with respect to privacy, cost, “game changer” or a “poverty killer.”1 India’s Aadhaar capacity, and long-term viability. and Estonia’s identity programs are examples in which This report provides a strategic view of the role of iden- eID has effectively been used to promote economic and tification in a country’s national development, as well as social development. a tactical view of the building blocks and policy choices Though of particular relevance to developing nations, needed for setting up eID in a developing country. eID has been important to developed nations as well. Most rich countries have robust identification systems, Why identification? which provide their people with an “official identity,” grounded on official documentation, such as birth cer- Identification plays an important role in facilitating tificates. The official identity is used to provide public the interactions of individuals with their government safety, policing, national security, and border protection. and with private institutions to operate in a structured Today, firms in developed countries use innovative tech- society. Without a robust means of proving one’s iden- niques in authenticating a user’s official identity, whether tity, exercising one’s basic rights, claiming entitlements, in mobile applications, digital commerce, social media, accessing a range of governmental services, and con- or everyday use. For developing nations, the absence of ducting many daily activities could be hampered. In an official identity would pose a fundamental challenge. addition, a lack of effective identification could ren- The advent of new technologies—in the form of der government organizations less efficient and less mobile devices, social media, and the Internet—offers additional opportunities for developing countries. When 1  ee press release: “India’s Massive I.D. Program Exemplifies S ‘Science of Delivery,’” at http://www.worldbank.org/en/news/ combined with mobile phones and the Internet, iden- feature/2013/05/02/India-8217-s-Massive-I-D-Program-Exempli- tification allows services to be delivered electronically, fies-8216-Science-of-Delivery-8217 (last accessed May 10, 2014). 2 Wireless Intelligence (2014). giving a boost to government efficiency and leading to 3 Wireless Intelligence (2014); World Bank (2014). the creation of new online products and services. With 4 Ibid. Executive Summary vii accountable. As such, robust identification is recog- is the possible use of biometrics—i.e. technologies nized as an important tool for socioeconomic and that use patterns, such as fingerprints, iris texture, political development. or facial geometry—to determine a person’s identity. Biometrics can be used to uniquely identify individ- What is electronic identity (eID)? uals in lieu of robust civil registration systems, which capture the birth or death of people, or in the absence Today, the importance of identification is increasing, of official birth certificates in developing countries. as more human activities and transactions are con- Governments face the choice of strengthening their ducted online and are becoming mobile. This trend civil registration systems or using biometrics, or creates new opportunities and new vulnerabilities, both. Though biometric technologies offer an attrac- and prompts the need for digital identity. eID provides tive option in the context of developing countries, technology-based solutions for identification in order they pose additional considerations regarding privacy, to uniquely establish a person’s identity and to creden- cost, capacity, and long-term viability. Biometrics can tial it, so that the identity can be securely and unam- also be used for authentication, though this approach biguously asserted and verified through electronic requires strong provisions with respect to fraud pre- means for delivery of services across sectors, including vention and liability management. healthcare, safety nets, financial services, and trans- Two aspects of a national technology strategy are port. National governments play an important role in also noteworthy: a country’s underlying technology facilitating the development of such systems, and in infrastructure and the importance of international building the trust required to establish and maintain standards for eID systems. A modern eID system can them, through informed policy and regulations, which require a well-developed infrastructure offering high- must be in effect before the full benefits of such sys- speed Internet, which is not always a given in many tems can be realized. developing countries. A vibrant domestic information technology (IT) industry can be important, offering Privacy is pivotal human capacity, possible partnership with the private sector, and a local marketplace of new products and The data-centric nature of eID and the collection and services using eID. Additionally, the use of international retention of information—often deemed personal—of standards is essential to ensure interoperability across, individuals can be perceived as an invasion of privacy. at times, disparate eID systems, and to protect against A successful eID program can become pervasive over lock-in due to a single vendor or a specific technology. time, creating digital data trails of a person’s routine actions, linked to a unique and traceable identity. Thus, The cost dimension the effects on privacy can be further compounded. To protect the privacy of people, an eID program has to Such eID systems can be costly, in terms of expen- institute strong measures, including, but not limited ditures related both to upfront setup and ongoing to, appropriate legislation, data protection, public operations. Expenses are to be minimized, keeping notices, an individual’s right to consent, design princi- in view the total cost of ownership of eID systems. ples for privacy, a documented privacy policy, an inde- Governments can consider potential revenue flows by pendent body for privacy oversight, and the effective offering identity services to offset the investment nec- enforcement of laws and regulations. essary to develop an eID and to induce sustainability in its operation. Public-private partnerships (PPP) can Technology as an enabler provide an avenue through which to relieve the fidu- ciary burden. A financial and economic model, with Technology provides a means by which to auto- detailed expected costs and potential revenue streams, mate the various steps involved in a national identi- needs to be developed in advance. This report offers fication system. Chief among the technology choices insights into the cost dimension of eID systems, though viii Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA indicates that a separate, detailed study on cost-benefit deal with technology. Thus, leadership, governance, analysis could help bolster the findings of this report. and capacity are important elements in the design and setup of an eID platform. Coordinating across sectors In this report, we present a conceptual overview of and building human capacity digital identity management practices, providing a set of guidelines at a national level that policymakers can Launching an eID system can be a significant find helpful as they begin to think about modernizing undertaking for a government in a developing the identity infrastructure of their country into country. Two challenges are noteworthy. First, eID. The report provides an operating knowledge the cross-sectoral nature of eID requires top- of the terminology and concepts used in identity level leadership and effective coordination across management and an exposition of the functional blocks government agencies. Many developing countries that must be in place. Given its abridged nature, the offer a fragmented identification space, where report is intended to be insightful and detailed, though several agencies, both public and private, compete not exhaustive. Several important topics related to eID to offer identification in the form of multiple identity are noted though deserve further discussion, including: cards supported by multiple identity registers. economic and financial analysis, the development and Coordinating the development of an official identity setup of a national civil register, and cross-border across these disparate eID programs can be difficult. aspects of eID. The building blocks, as discussed, can Second, the technology-centric nature of eID can help ensure that a secure, robust and reliable digital put great demands on the technical capacity of identity platform can serve the development needs of government agencies, some of which may not directly a country for the foreseeable future. Executive Summary ix I. OVERVIEW: Identity Matters I.1 Identification is Necessary identification systems capable of establishing unique, for Modern Development official identities for individuals to enable e-government and e-commerce. Central to a government’s ability to deliver services to Identification is thus a prerequisite for modern devel- its people, whether those services be healthcare, safety opment. A robust identity system involves capturing the nets, or drivers’ licenses, is knowledge of who those unique identity of each individual in a national identity people are. The same is true for private enterprises. For registry. Once a registry is established, a government may example, a bank’s ability to offer services to its clients— issue official identification to each person in the form of such as opening a bank account or securing a loan— a national identity card with a unique identification num- requires a certain knowledge of the intended recipient. ber, and it may also operate identity services that verify This is where identification programs come in. personal identity online. A national registry can then be With the growing use of mobile phones, social media, used across sectors—from education and healthcare to and the Internet, the need transportation and urban for identification becomes development—for the even more important. Today’s modern society creates delivery of services, both When combined with new demands on identity: public and private (see mobile phones and the Figure 1). For example, Internet, identification identity has to be mobile, a government offering allows services to be deliv- transactional, interoperable, safety net transfers to ered electronically, giving portable, and social—in the country’s poor can a boost to government use the national identity efficiency and leading to addition to being secure. registry to help identify the creation of new prod- the target population and ucts and services online. With 6.5 billion mobile phone issue cash transfers electronically. A financial institution users in the world today,5 mobile phones and the Internet can use the national registry to easily validate identity, are currently the largest channels for service delivery. By thereby addressing a key aspect of Know Your Customer 2013, 67.4 percent of Sub-Saharan Africans had a mobile (KYC), and can offer a host of financial services, such phone subscription, totaling 614 million mobile phone as opening an account, securing credit, taking deposits, subscriptions.6 As for smart mobile devices, 8.5 percent or paying for services, whether at a bank branch, on a of Africans are using a smart phone or a tablet, totaling 5 Ibid. 77 million users.7 Employing these new channels for 6 Ibid. service delivery requires investing in robust and reliable 7 Ibid. OVERVIEW: Identity Matters 1 computer, or on a mobile phone. Immigration author- 36 percent of children worldwide and 40 percent of ities may track who enters and exits the country, and children in the developing world were not registered at link national passports with the unique identity of each birth.9 South Asia had the highest percentage of unregis- person. Without a reliable way of proving one’s identity, tered births (63 percent), followed by Sub-Saharan Africa exercising basic rights, claiming entitlements, access- (55 percent) and Central and Eastern Europe (23 percent). ing a range of governmental services, and conducting Among the least-developed countries, under-registration many daily activities could be hampered. Governments was at 71 percent.10 Even for those who are registered, play an important role in facilitating the development birth certificates are often difficult to access due to poor of such identification systems and in inculcating trust, record keeping, lack of mobility, or corruption.11 primarily through regulations, for the broad adoption Depending on the context, identification can go and use of identity.8 beyond delivering services efficiently. Identification can For developing countries, identification poses a daunt- also be a foundation for a secure society. Herein lies the ing challenge. Many of these countries lack robust iden- difference between rich and poor countries in the way tification systems inclusive of their entire population. governments sponsor identification. In rich countries, Some operate in a fragmented identification space, where official identity has long been used to provide public several agencies, both public and private, compete to safety, policing, national security, and border protection. offer identification in the form of a health insurance card, a bank identity card, a voter identity card, or a ration 8  ee Organization for Economic Co-operation and Development S Report “Digital Identity Management for Natural Persons: Enabling card. An official identification is often missing among Innovation and Trust in the Internet Economy” (2011). these varied identities, leading to inefficiencies in the way 9 The United Nations Children’s Fund (UNICEF), “The ‘Rights’ Start to Life: A Statistical Analysis of Birth Registration,” (New York: the government and firms interact with the population. UNICEF, 2005). Offering an official identity in a developing country is 10 UNICEF Innocenti Research Centre, ”Birth Registration: Right  from the Start,” Innocenti Digest No. 9, (Florence: UNICEF, 2002). even more difficult in the absence of birth certificates, 11  ee Gelb and Clark, “Identification for Development: The Biometrics S a foundation for official identification. In 2000, some Revolution,” Working Paper 315 (Center for Global Development, 2013). Figure 1: A National Vision for Economic and Social Development Transform the efficiency Safety Nets of safety nets with electronic cash transfers Track immunization of Healthcare children and delivery of healthcare to citizens Civil Registration Accelerate financial National Finance inclusion using digital Identity banking and payments Identity Registry Enrollment Issue drivers' licenses Transport linked to digital Register people identity registry for identity Record unique identity of people in a national electronic registry Track border control and Immigration issue passports linked to digital identity registry Source: World Bank analysis. 2 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Identification in Social Protection When mechanisms for identification are weak, individuals may experience difficulty proving their eligibility for social protection assistance. Without a common identity, coordination among different development programs on the identification of potential beneficiaries becomes more difficult and costly. Invariably, multiple databases result, with beneficiaries’ identities not necessarily linked across them. These programs become vulnerable to misuse and sizeable leakages. Examining how fraud could manifest itself within this illustrative context underscores the scope of vulnerability of identification-based service programs in general: • An individual may assume multiple identities, using false or assumed names when registering for benefits, and thereby receive more than his or her fair share of assistance (monetary, food, etc.). • A head of a household may inflate the size of his or her family by “borrowing” children from other households during household registration. Often those same children are lent back to other households and registered again, resulting in exaggerated family units. • When aid is in the form of guaranteed employment, an individual who secures work may “outsource” that labor by selling it to another individual who performs the work in his or her place. • In long-term programs, the death of a beneficiary may not be communicated in a timely fashion. The ration or benefit card of the deceased could continue to be used by a family member or another individual. • The registration of fictitious individuals (or ghost workers) through collusion with local government may aid workers who see the lack of identity accountability as an opportunity to defraud the program. In poor countries, official identity is seen as instrument these gains come with risks, which are to be mitigated. for economic, social, and political development, such as A digital identity platform automates the steps of a by reducing leakage in government-sponsored programs, national identification system with a number of tech- enhancing government efficiency, improving labor nology-based solutions, which include: mobility, and enhancing social inclusion, empowerment, and accountability. The gap between rich and poor coun- ◆◆ Biometrics: In the absence of a strong civil registry tries is, however, narrowing, as more transactions are system (such as for birth, death, or marriages) in de- conducted online. Even in rich countries, identification veloping countries, biometrics offers a possible tech- systems are beginning to play an important role in facil- nology to uniquely identify individuals. Biometrics itating e-government and e-commerce.12 consists of electronically capturing a person’s face photo, fingerprints, or iris. Biometrics may also be useful for authentication. I.2 Digital Identity as a Platform for National Identification ◆◆ Electronic databases: Instead of storing identity in- formation in paper registers, creating significant Digital identity provides a cross-sector platform on stress on cost and efficiency, electronic databases can which to establish a robust identification system in a be used to store and reference identity data. Elec- country, on a rapid timetable, and enables services tronic capture and storage of data is also a first step across sectors to be delivered electronically. Such a towards offering electronic services. Electronic development can be transformational for a country, offering gains in government efficiency, private sector 12  ee for example The U.S. White House Report, “National Strategy S development, and national development. However, for Trusted Identities in Cyberspace,” (April 2011). OVERVIEW: Identity Matters 3 storage of identity data allows data to be recovered in Along with its benefits, a digital identity platform the face of natural or man-made disasters. poses several risks, which require mitigation. First, the electronic capture and storage of personal data requires ◆◆ Electronic credentials: Once identity information is strong provisions of governance and management to captured, governments may offer identity credentials ensure its security and privacy, protecting it from misuse, to individuals in the form of paper-based national ID exploitation, or theft. Second, building a digital platform cards, or electronic smartcards. The use of smart- can be costly, requiring careful attention to optimizing cards can offer advantages for electronic health re- the cost structure, and exploring potential revenue cords, immunization records, electronic payment streams for making the effort sustainable. Third, a digital transfers, and other applications. platform puts greater demands on the technical capacity of the responsible organization and requires balancing ◆◆ Mobile, online, and offline applications: With digital with the use of public-private partnerships, where fea- identity, services can be delivered on a computer or a sible. Finally, a digital platform requires an eye towards mobile phone for a range of sectors, including health- long-term operations and maintenance, necessitating care, education, banking, social services, and others. provisions of cost, capacity, and upfront design, to ensure The availability of point-of-sale (POS) devices can that identification works well in the long run and is not enable an efficient means of authentication, allow subject to operational decay over time. signup for bank accounts or other transactional ac- counts, and further increase the use of electronic transactions. I.3 Digital Identity is Growing in Developing Countries A number of developing countries are building digital identity platforms as a means of enabling economic and social development. In 2013, Gelb and Clark surveyed Digital Identity Platform for National FIGURE 2:  and identified over 230 digital identity systems across Identification more than 80 developing countries. These systems use Building Blocks biometric technology to identify a segment of popula- of Identity Sample Digital Solutions tion for the sake of economic or social development. These systems consist of two types: (a) foundational – • Biometrics: Capture unique Capturing identity of people using which are built in a top-down manner with the objec- identity data biometrics. tive of bolstering national development by creating a general-purpose identification for use across sectors; • Electronic databases: Store and (b) functional – which evolve out of a single use- identity data electronically, as case, such as voter ID, health records, or bank cards, Storing identity opposed to on paper. data and have potential for use across sectors. According • Disaster recovery: Recover to Gelb and Clark, at least 37 countries offer multi- electronic data in case of disaster or loss of data. ple functional platforms for digital identity. For exam- ple, in India, there are 15 or more instances in which a Offering identity range of actors (central, state, and municipal govern- • Smartcards: Issue electronic credentials form of identity credentials. ments; donors; and NGOs) use biometric identifica- tion. Kenya, Malawi, Mexico, Nigeria, and South Africa offer a similar scenario. People in these countries carry Offering multiple forms of identity for different government electronic • Applications: Offer electronic agencies or private firms, posing potential challenges.13 services services linked with digital ID. Source: World Bank analysis. 13 Gelb and Clark (2013). 4 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA FIGURE 3: A Sample of Digital Identity Platforms Using Biometrics By Region Sub-Saharan Africa 75 Latin America & Caribbean 34 South Asia 27 East Asia & Pacific 14 Middle East & North Africa 8 Central & Eastern Europe 2 0 10 20 30 40 50 60 70 80 Number of Cases By Type and Region Elections 20 9 3 2 Social transfers 10 1 8 3 1 (application-driven) FUNCTIONAL Health 12 2 3 11 Financial services 8 1 3 1 Civil service admin. 5 3 1 2 Other cases 8 3 2 2 FOUNDATIONAL 12 18 5 4 4 2 (ID-driven) 0 5 10 15 20 25 30 35 40 45 50 Number of Cases Sub-Saharan Africa Latin America & Caribbean South Asia East Asia & Pacific Middle East & North Africa Central & Eastern Europe Source: Gelb and Clark 2013. Digital identity platforms differ across countries, information is collected.14 Such a model works well in including in the way technology is used (for register- a developed country, where the population is highly ing people or for issuing credentials) or in the way the educated, online services are widely used, and the civil institutional structure is setup. Estonia and India present registry is well developed. In contrast, in India, the gov- two examples at two different extremes. In Estonia, the ernment has launched a biometric system, capturing government uses a strong civil registry system to record 10 fingerprints and two irises of each registering indi- digital identity, issues a chip-based identity card bearing vidual, in order to issue a 12-digit unique identification a photograph, and allows users to use digital identity with 14 N  on-citizens provide 10 fingerprints, and Estonia now has a a personal identification number (PIN). No biometrics biometric passport. OVERVIEW: Identity Matters 5 number. No identity card is issued. The unique ID President responsible for rolling out the country’s number is then used for a variety of public and private unique identity program. In contrast, in Pakistan, a services, often in conjunction with the person’s address, National Database & Registration Authority (NADRA) biometric information, or password. Similarly, Ghana serves as an autonomous body within the government and Pakistan present two different models of insti- to offer digital identity services, and sustains operations tutional structures. In Ghana, the National Identity in part through fees collected via identification services. Authority (NIA) is an agency within the Office of the TABLE 1: Common Models of Digital Identity Systems Estonia India Institution: Citizenship and Migration Board, within Ministry Institution: Unique Identification Authority of India, within of Internal Affairs. Planning Commission of India. Technology Registration: Civil registration. Registration: Biometrics (10 fingerprints and iris). Credential: Identity card with a photograph and a chip. Credential: No physical credential (a 12-digit unique ID number or “Aadhaar” is given). Target population: 1.3 million people. Target population: 1.2 billion people. Use of ID based on: Personal ID number (PIN). Use of ID based on: Aadhaar number, along with demographic, biometric, or password. Ghana Pakistan Institution: National Identity Authority, within the Office of the Institution: National Database and Registration Authority Institutional Structure President. (autonomous body). Registration: Biometrics (fingerprints). Registration: Biometrics (fingerprints). Credential: National identity card (“Ghana Card”), and smartcard. Credential: National identity card with a photograph, smartcard, and mobile ID. Target population: 25 million people. Target population: 180 million people. Use of ID based on: National identity card and biometrics. Use of ID based on: Smartcards, mobile phones, and biometrics. 6 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA II. How Identity Management Works II.1 Identity as a Set of Attributes For the sake of clarity, it is worthwhile to distinguish, from the outset, two related processes: For our purposes, identity is defined through a set of human attributes or characteristics (referred to as iden- ◆◆ Identification Management: establishes a unique tifiers) that, once specified, narrow down all possible identity for each real person (identification), fixes it, entities to one and no other.15 credentials it, and binds it to Thus “identity = A, B, C, …” individual actions as they oc- attributes. The choice of attri- The goal of a national cur in the future (authentica- butes is what is called the identity program should be tion). Optionally, it can also link identity to an appellation identity regime. to attribute one identity or a legal name (legal or so- Traditionally, this regime has operated with attestable per person per lifetime cial identity) through a pro- biographic identifiers, such for all needs. cess called vetting, or identity as name, birth date, citizen- resolution. ship, address, profession, family, tribe, etc. Today, such ◆◆ Identity Intelligence & Identity Risk Assessment: a regime is considered less reliable, since its attributes discovers and tracks the reputation of an identity. could be hijacked or faked. This is rectified in the bio- Performs background checks against watch-lists and metric identity regime, which relies either exclusively other sources of identity knowledge.16 Uses statistical or primarily on immutable and indisputable attributes inference (e.g., big data) to predict intention based on called biometrics (see box on page 8). a history of prior actions; assesses the risk attributed An identification program should be able to answer to a given identity; and determines a trust score (just the question who is this person by searching the like a credit score). unknown person’s template within the database of tem- plates associated with known people (identification, or Often, and especially in rich countries, the two pro- 1:N search or matching) or to validate that they are who cesses are inextricably lumped together. In this paper, they claim to be by comparing their template to the one associated with the claimed identity (verification, or 1:1 15  nderlying this definition is Quine’s well known philosophical view U matching) retrieved from a central data repository or that “To be is to be the value of a variable,” and the assertion that “No entity is without identity.” W. V. Quine, “Ontological Relativity residing on another storage medium (e.g., a smartcard and Other Essays,” (Columbia University Press, New York, 1969). the person may be carrying). The implication is that specifying a rich group of attributes can always achieve the specificity of identification. There are some misconceptions and differences in 16 This may include checks of Internet protocol (IP) addresses, postal terminology as to what identity management is about. addresses, or other forms of information relevant to a person. How Identity Management Works 7 Biometrics Biometrics are characteristics of the human body that can be used as attributes to establish personal identity. Biometric systems begin with patterns, such as fingerprints, iris texture, and face geometry, imaged via specialized sensors. The images are then converted, using proprietary algorithms, into a set of templates, which are mathematical codes intrinsic to the individual, insensitive to extrinsic image variability (skin condition, eye color, expression, hair style, viewing conditions, etc.). Given a large enough set (e.g., using enough numbers of fingers), this code can be demonstrated to be unique for each individual within a population size, with reasonable accuracy. Thus, identity can be conveniently fixed through a set of biometric identifiers that have sufficient resolving power to distinguish unambiguously any given person from the entire group. In addition to fingerprints, face prints, and iris scans, additional forms of biometrics have emerged in recent years, including voice prints, retinal scans, vein patterns, and DNA. Other ways to fix identity that do not use biometrics include the use of robust civil registration procedures. we focus on identification management as defined in during each phase, as well as some of the Use Cases, article 1 above, since that is most relevant for develop- that emerge in the public as well as private sectors once mental applications and the practice of that discipline an identity has been registered and issued a proof of is mature enough that it can be considered a standard identification. The list of Use Cases is extensive but by element of a country’s information and communication no means exhaustive. technology (ICT) activities. We will refer to that inter- changeably as identity or identification management. Identity Lifecycle Showing the FIGURE 4:  Sub-phases under Registration, Issuance, and Use II.2 Identity Lifecycle: Registration, Issuance, and Use Use Registration An eID management program consists of a set of coor- Update Capture dinated processes supported by business functions, technical systems, policies, and procedures that, in their totality, deliver solutions for the different phases of the identity life cycle. It is widely accepted that the identity lifecycle can be Identity divided into three basic phases: Registration, Issuance, Authenticate Certify and Use; but these have sub-phases. For example, sometimes Registration is subdivided further, as Data capture/Enrollment and Certification, while Issuance is referred to as Credentialing and Use is subdivided into Credential Authentication/Verification and Update (or revocation), as shown in Figure 4. Issuance In Table 2 we also present some of the processes that need to be established in order to manage identity Source: World Bank analysis. 8 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Identity and Trust It can be argued that the role of identity has not changed since the beginning of civilization. Humans use identification to determine in which type of interactions to engage with other people. More specifically, we use identity to facilitate the actions of those we know and trust, and to protect us from those we do not trust or from those we do not know. Identity is what binds a person to his or her reputation, and reputation is what earns that person trust within the community, which in turn facilitates or inhibits that individual’s actions TRUST ACTIONS depending on his or her level of trust. The cycle of identification does not end. As we conduct Identity more actions, the volume of our reputational data increases and our trust level is continually adjusted through the judgment of the prevailing social, moral, and legal codes. Identity is at the core of human-human interac- tions and, by analogy, eID will be at the core of REPUTATION human-machine or human-information systems interactions as eID achieves more penetration. II.3 Registration: Enrollment of the three elements in Table 3. It is important to note and Certification that Identity that the use of biometrics is helpful in establishing is Authentic uniqueness, as we discuss below, but it is by no means the only method for doing so. In cases where the civil Identity Registration is the first and most important register is highly developed and reliable, the use of bio- step in capturing a person’s identity.17 It consists of a metrics becomes less important or may not be needed. set of procedures for collecting data (enrollment) and Biographic or biometric data associated with the Core using it to verify that the identity is authentic by vali- Identifying Data (CID) are first collected. In the case of dating the following conditions: biometrics, key attributes are imaged on specialized off- the-shelf scanners or sensors, or standard face cameras, ◆◆ Existence: claimed identity exists (and is alive, not a producing high-definition images of the fingerprint pat- ghost) at the time of enrollment and can be localized tern, the iris texture of the eye (in the infrared spectrum), (reached through address, email, phone number, etc.). or a standard photograph of the face.18 The Validation Data and the Metadata can consist of scanned copies ◆◆ Uniqueness: claimed identity is unique or claimed of breeder documents, such as birth certificates, voter only by one individual. cards, drivers’ permits, community affidavits (including those from religious institutions), certificates from edu- ◆◆ Linkage: presenter can be linked to claimed social cational institutions, and other proofs of identification or identity. The process begins by capturing identifying data from 17  dentity management is additionally about comparing the person I each person, which can include biographic or biometric who is physically present with the data retained in a database. 18  The market for biometric scanners is mature and is subject to a information at an enrollment center or in a field office body of standards and certifications that ensure consistency of using an enrollment station. The captured data consists performance and quality of captured images. How Identity Management Works 9 Table 2: Identity Management Processes throughout the Identity Lifecycle Process Registration Issuance Use Owner Capture/Enroll Certify Credent Authenticate Update Enrollment • Data Capture Agencies • Field Validation • Transmission National Identity • Vetting • ID-in-Cloud • Identity Services • Identity Profile Repository • Linkage • Certificate • Identity Authentication Updates • De-duplication Authority (CA) • Maintenance • Unique ID Number • Identity Revocation • Digital Certificates and Credentials Public Sector • Credential • Passport Acquisition Issuance • Immigration Control • ID Cards • Universal Health Care • eID and Mobile ID • Access to Social Services • Smartcards • PDS Programs • SIM Cards • Public Safety • Law Enforcement • Education • Children’s Rights • E-Government Services • Taxation • Business Registration • Pension Claims • Electoral Registration • Drivers’ Licenses • Property Registration Private Sector • Financial Services • Healthcare • Transportation • Mobile Transactions • SIM Card Registration • Creditworthiness • Employment • Travel use of name and social reputation, and/or may include known identities. For biometrics, the search engine is self-declarations of applicant collected by a trained agent called Automated Fingerprint Identification System during enrollment. (AFIS) or Automated Biometric Identification System The collected data is automatically compressed, (ABIS), depending on whether it uses fingerprints only encrypted by the enrollment software, and submitted or multiple biometrics for the search and match func- to a central repository. This repository is sometimes tion. A schematic of this process is shown in Figure 5. referred to as the National Population Register or the If no match is found, the identity is considered new and National Identity Register (NIR). There, it undergoes is passed on to the next phase for further validation. If, several steps of processing and validation. First, tem- on the other hand, a match is found, it means that this plates are generated from the biographical data or bio- identity was previously enrolled (duplicate). A human metric images, which are then exhaustively searched intervention or control step by a trained operator is used against all previously enrolled templates associated with to validate that the match is a fraudulent attempt and to 10 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Table 3: Type of Identity Data Typically Captured during Enrollment Data Type Description Core Identifying Data (CID) Minimum set of attributes required to define a unique identity and to fix it thereafter. Validation Data Proof that claimed identity exists and can be linked to a legacy social identity associated with a natural or legal person.a Metadata Other attributes or personally identifying information (PII) needed for Know Your Customer (KYC). European Commission, Proposal for a Regulation of the European Parliament and of the Council on Electronic Identification and Trust a  Services for Electronic Transaction in the Internal Market. See http://ec.europa.eu. take appropriate action to prevent it from registering. claimed social or legal identity. These use the validation Through this de-duplication process, the uniqueness of and identity metadata collected at the time of enroll- each record in the NIR is assured. ment. Here, an identity examiner analyzes the social A de-duplicated identity is then subjected to several footprint of the claimed identity by examining evidence procedures for vetting, proofing, and linking to the from breeder documents as well as by cross-referencing FIGURE 5: Schematic of the Identity Registration Process Using Biometrics Signal Biometric Identity Processing Image Capture Repository Enrollment Station Template AFIS/ABIS Generation Hit (Match) Duplicate Matching Logic Engine Template Database No Hit (No Match) Unique Source: World Bank analysis. Note: The enrollment station at the frontend captures biometric data and the AFIS/ABIS at the backend de-duplicates that data to ensure uniqueness of each record in the identity repository. How Identity Management Works 11 with other external databases, including property reg- eID credential (as discussed in item iii. below), but it isters, voter registers, civil registers, and police records. also allows for other means. This is necessary because When the examiner is satisfied that the identity is real other traditional forms of credentials are likely to and is linked to a socially existing identity, it may be remain in operation for a long time to come, and hence issued a Unique Identification Number (UIN)19 and is the eID credentials may not be the dominant frame- added to the NIR. From there on, this identity is fixed work of identity trust during this transition. Table 4 and is bound to the NIR for life. compares a range of options. The process of data capture (enrollment), vetting, The choice of the credential medium has important and validation (certification) completes the registration implications for overall identity system architecture, process of identity. An identity registered in this way is operations, Use Cases, and cost. These are all factors that an official identity. have to be considered in deciding what form of creden- tial is ultimately to be carried by a country’s population. II.4 Issuance: Providing a Credential ◆◆ Non-Electronic ID Cards: These continue to be the i. Non-Electronic Credentials least expensive but also the least reliable form of identification. The information printed on them Before a registered identity can be used (asserted), could be vulnerable to sophisticated alterations, it first has to go through a credentialing process. In counterfeiting, cannibalization, duplication, and traditional identity systems (non-eID), this involves substitution attacks, unless costly physical security the issuance of a proof of identification in the form features are implemented. But more importantly, of a printed ID document that is linked to the bearer they are largely unfit for electronic commerce, as through a secure mechanism of personalization (e.g., they have no provisions for carrying a digital creden- a photo of the owner, or a description securely printed tial or interfacing with a digital certificate and hence on the document) and carries a hallmark of trust in the cannot be used to secure transactions online. Simply form of some physical security features (an official seal, said, these are badges and not secure electronic IDs a hologram, etc.). Depending on the degree of trust that can be integrated into secure point-of-sale ter- implemented by the issuing agency, this ID becomes minals or online electronic commerce engines. more than just a badge; it becomes a secure identity or a credential. ◆◆ Smartcards: These emerged in the last twenty years For many years, this type of printed credential as an alternative to printed ID cards because, as fraud achieved the portability of trust. It allowed its bearer to grew more sophisticated, the integrity of identity assert his or her identity to a third party anywhere access documents could no longer be guaranteed through to the central register was impractical. Hence, it provided advanced printing technology alone. Smartcards, a general-purpose mechanism for meeting society’s iden- through the use of encryption and digital signature, tification needs (supported many Use Cases). are able to ensure that data on the ID credential was However, as the need for identity management has recorded by the authorized issuing agency and not shifted online, this credential has proved to be inade- altered subsequently and they are capable of carrying quate, and the process of credentialing eID has conse- the digital identity credential of the bearer, as quently become more involved than simply printing and issuing an ID card. 19 Th  e quest to attribute a unique number to each identity is not new. It goes back to the end of the 19th century when Dr. Luis Almandos, in Argentina, lobbied to issue each citizen a unique number based on ii. The Credential Medium the Dactyloscopic analysis of their fingerprints (manual fingerprint classification). What is new is the fact that the technology to achieve uniqueness exists today in the form of multi-biometric ABIS systems. For our purposes, a credential is a mechanism, process, India’s Aadhaar was the first example that showed the scalability of device, or document that unequivocally vouches for the multi-biometrics for the purpose of producing unique ID numbers for hundreds of millions of people without any practical impediments. identity of its bearer through some method of trust and 20  In a world where traditional identity and eID co-exist, we take a authentication.20 This encompasses the specific form of broader definition of a credential. 12 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Table 4: Types of Credential Mediums Used Traditionally and in eID Programs Credential Type Description Produced through a variety of printing technologies, including dye sublimation, laser engraving, and digital offset printing, and made resistant to fraud by adding a myriad of physical security features. These include special inks, lamination, optically variable devices, overlapping data, redundant data, forensic features, etc. Non Electronic Printed ID Cards Personalization is what binds it to bearer. When the printed ID card is equipped with a data pointer stored, for example, on a magnetic strip or quick response (QR) code and supported by back end identity services, this becomes an electronic ID (see ID in the Cloud below). A form of eID carried on a standard-size ID card. Offers advanced security features, since it can hold digital credentials and biometrics data on a chip that can be used for strong authentication to ensure that the holder of the card is the same as the authorized identity. This is a more secure and privacy-assured method, especially Smartcards when the credential-certificate pair is generated onboard the card and the credential never leaves the chip. The certificate is exported to a CA directory. They come with different interfaces: contact, contactless, and near-field communication (NFC). Mobile-based eID carried on a mobile communication device, such as a smart eID phone with a digital credential. Similar comments as to Smartcards credential- SIM Cards certificate pair apply (albeit different in detail, since security mechanisms are different between the two). Certificate as well as biometrics stay on the Identity Server at the NIR. Authentication happens through biometrics first, then the certificate is used to secure authorized transactions. ID in the Cloud This does not necessarily require a physical credential. An ID number is sufficient, although that number can be stored on the magnetic strip of a printed card or a QR code. discussed above. In the past, their cost and their re- asserted in the course of mobile transactions, assuming quirement for a complex IT environment were the there is an appropriate mechanism of authentication in principal criticisms against them. Use of smartcards operation. Nevertheless, while they are very promising, requires the development of a new service delivery the standards have not yet been established for how and distribution platform. Today, several countries these devices could deliver fully trusted interoperable have adopted smartcards to support eID and there is identity. There are several groups working on such a tremendous body of available worldwide experi- standards and, in view of the significance of this plat- ence. However, smart mobile phones have emerged form in the mass market, further developments are ex- as an alternative to smartcards, as mobile phones pected with a potential for participating in identity seem to provide a widely-available medium for car- management for mobile commerce.21 rying credentials and for asserting identity. In addition to the need for standards for interopera- ◆◆ Mobile Devices: Smart mobile devices have a great bility of identity, mobile devices lack strong authen- number of advantages that go beyond their high pene- tication mechanisms. Currently, a PIN or a password tration into society. They have powerful computing, may be used to authenticate an identity carried on a communication, and secure storage capabilities, both on subscriber identity module (SIM) and off SIM. They 21 S  ee for example the FIDO Alliance http://fidoalliance.org, and the can hold digital credentials, which can be conveniently Identity Ecosystem Steering Group http://www.idecosystem.org. How Identity Management Works 13 mobile device. This may be adequate for many pur- in order to establish a trusted mechanism for securing poses but may not be strong enough for high-value electronic interactions between two entities. In this case, transactions or for those in which the requirement once an identity has been registered, it is also issued two of non-repudiation is present. For these, two-factor additional digital assets, namely a public and a private authentication or biometric readers incorporated into key,24 which are securely bound to the identity.25 The cen- mobile devices present alternatives. This is starting to tral authority managing the NIR serves the function of happen. The world’s top two makers of smart mobile a Certificate Authority (CA), which the authority either devices have incorporated fingerprint readers into operates on its own or outsources to one or more third their offerings.22 In such a case, readers would likely be parties, including to the private sector. The public key able to interoperate and offer strong biometric-based is packaged with some identifying information (name, authentication. A useful feature of mobile devices is UIN, use restrictions, etc.), which is digitally signed, and that they do not require a new token, in contrast to is issued as an eID Certificate, and is henceforth kept in smartcards, and hence mobile devices offer good con- the public key directory (PKD). The private key is secured venience to consumers and potentially significant cost though an appropriate access control mechanism so that benefits in identity issuance. it can only be used by its rightful owner. For example, (strong) authentication could be implemented, which ◆◆ Non-token Credentials: Future eID is likely to in- would require a PIN, two factors, or a biometric match, clude a mobile component. But several interoperabil- before the private key could be released for use by the ity and security aspects require attention for mobile owner. Thus a private key secured through an authenti- identity to represent a dominant form of eID. In the cation mechanism becomes an eID Credential. meantime, there are other non-card-based options To guard against impersonation, it is imperative that that do not require a new token in the hands of the the owner maintains total control over his or her digital consumer. For example, the NIR could develop an credential. Given the importance of this, the questions identification-on-demand or identity authentication concerning where the eID credential is generated, during service. Identity can be asserted and verified via the what step of the process, where it is kept after generation, cloud (i.e., Internet) from any computer, terminal, or and how it is secured are crucial in order to maintain device with a biometric reader securely connected trust in the overall framework. The security details are online. India has demonstrated that identity over the beyond the scope of this report, so here we shall simply cloud is a viable option.23 In fact, instead of investing billions of dollars to equip each individual in the 22 B  oth Apple Inc. iPhone 5S and Samsung Galaxy S5 feature a fingerprint reader in order to control access to the device. These country with a physical card (which could cost US$3 are not fully interoperable and hence do not provide the type of to US$5 per person), the government decided to in- fingerprint authentication needed to turn the mobile device into a national eID but it is a first step towards this eventuality. vest in the ICT infrastructure at points of service 23 See Unique ID Authority of India http://uidai.gov.in for more  throughout the country to ensure their connectivity information on the success of authentication services for the Aadhaar program. to the backend identity services of the Aadhaar sys- 24 To understand the nature of these two assets, it is crucial to know  tem. Of course, identity on demand has challenges of how public key infrastructure (PKI) works to secure interactions. its own. It can primarily succeed if strong measures At a very high level, PKI is based on the use of a pair of encryp- tion keys: one is public and kept in a public key directory (PKD) to protect privacy and data security are adopted and managed by a trusted Certificate Authority (CA), while the other enforced, and a robust communications infrastruc- is private and is controlled by its owner. An individual’s public key can be used by a sending party to encrypt a message so that it ture is available for online identity. can only be read by that person using their corresponding private key for decryption. Similarly, the owner of a private key can use iii. eID Credentials it to digitally sign a message such that, when decrypted using the corresponding public key, the receiving party is assured that the message originated from that and only that person. Under eID, credentialing involves the use of a public 25 Mechanisms for generating certificates and credentials securely are complex, since they depend on whether these are issued in the cen- key infrastructure (PKI) framework, or other alterna- tral facility or on the medium (such as smart or SIM card) directly. tive frameworks, for encryption and digital signature, We will simplify the discussion by glossing over the subtleties. 14 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA FIGURE 6: Digital Assets Associated with an Identity in an eID System Biometric Biometric Unique ID Digital Digital Image Data Templates Number Certificate Credential The public Captured during Extracted from Generated and portion of The private enrollment in Biometric Image assigned to the encryption key portion of the key standard formats Data using unique identity pair, packaged pair generated biometric coding for life with some securely algorithms identifying and use information Stored in a trusted Archived in a Stored in an active May be environment either secure central database; communicated to in a central repository; Accessed on other government Stored in the PKD repository and/or Accessed again ongoing basis agencies to use it on a secure only if a need to during for client physical token re-template arises de-duplication and administration (smart card, verificacion mobile, etc.) Source: World Bank analysis. assume that a master copy of the identity credential is ◆◆ Improving access to financial services: A unique kept securely in a trusted environment at the NIR and digital identity can make it easier for the poor to ac- that a trusted copy of it (digitally signed by the issuing cess micro-payments, micro-credit, micro-insur- authority) is kept on some medium or token, which ance, micro-pensions, and even micro-mutual funds, constitutes an assertable credential. We discuss different which are becoming available. With small, volatile forms of credentials next. Figure 6 gives a summary of incomes, the poor lack facilities for savings or insur- all the digital assets associated with an eID. ance to protect against external shocks, such as ill- In summary, we now operate in a technology regime ness, loss of a loved one, loss of employment, crop where identity can be unique, certified, and digitally cre- failure, or to raise capital to start a small business. dentialed, yet the options for what physical credential to Mobile phones, automated teller machines (ATMs), use are multiple. We believe this will continue to be the POS devices, and agent networks provide innovative case going forward. Uniqueness of identity is driven by ways to access financial services, though many poor the requirement of trust; multiplicity of credentials is people are not able to fully benefit due to the lack of driven by the need for flexibility. Different forms of cre- registered identity. dentials are adapted for different Use Cases and hence we expect demand-driven proliferation of credential types. ◆◆ Preventing fraud: Digital identities can help plug the leakage of funds and prevent fraud in government programs. For example, in India, an audit of muster II.5 Use: Authentication and Updat- rolls of the National Rural Employment Guarantee ing of an Identity Scheme found 8.6 percent ghost beneficiaries, 23.1 Once an identity has been registered and issued a proof percent ghost person days, and only 61 percent of of identification, several Use Cases can be envisioned, wage payments reaching eligible workers.27 Paying in both the public and private sectors, as highlighted in 26  andeep Sudan, “Using Digital Identities to Fight Poverty,” (2013) R Figure 7. at http://blogs.worldbank.org/ic4d/node/593 (last accessed May These Use Cases illustrate how eID can help improve 10, 2014). 27  National Institute of Public Finance and Policy, “A Cost-Benefit the lives of the poor in developing countries, as demon- Analysis of Aadhaar,” (2012) at http://planningcommission.nic.in/ strated by the following examples.26 reports/genrep/rep_uid_cba_paper.pdf (last accessed May 10, 2014). How Identity Management Works 15 Data is Pervasive in eID eID systems are heavily data-centric: they consume data and they generate it. During registration, enrollment data is collected, transmitted, stored, and archived (upon death for example); but that is not all. Every time an eID is asserted by its bearer, it generates usage and transaction records that can accumulate in audit trail databases, controlled commercially or by government institutions. As such, the management of identity has gone from the issuance of ID cards in the past to the management of databases of large amounts of personally identifying information, and this data will only continue to grow as more eServices rely on eID and eID becomes more pervasive. Add to this the massive amounts of unstructured data that is accumulating online and on social media. In this way, one can see that we are heading towards a regime in which massive amounts of data are digitally available concerning people, their actions, and their reputations; all of this is linked through a reliable, unique, and traceable eID. These databases are likely to become key for organizations seeking to perform identity or entity resolution, identity harvesting, and reputation discovery, as well as other identity intelligence and analytics for the purpose of developing interest or risk profiles (targeted marketing or security risk assessment). The implication of this growth in data is that, increasingly, identity will be defined based on data external to the enrollment process, such as vetted social résumés (community vetted self- declarations), open-source reputational data, as well as from audit trails of use of eID. This situation could raise major concerns, the severity of which may vary according to each country, its policy and laws, and regional differences. Significant discussions are taking place around the world related to how to address this potential mega-data problem. These include use of Privacy Enhancing Technologies (PET), distributed databases, match-on-card, improved notice and consent provisions, as well as frameworks of trust that manage identity alongside anonymity. See Section III below for further discussion. beneficiaries and workers electronically introduces Creating a nationwide authentication infrastructure enormous efficiencies and prevents loss of funds. In is a gargantuan task. Such an infrastructure consists of: Nigeria, biometric audits resulted in a reduction of portals for online authentication; mobile applications for 40 percent in the number of federal pensioners.28 mobile-based authentication; POS terminals for smart card- or mobile phone-based authentication; and bio- ◆◆ Enhancing women’s incomes: A digital identity can metric terminals for biometric-based authentication, to ensure that benefits meant for women, such as con- name a few. Both a country’s government agencies (such ditional cash transfers, actually reach women. Ac- as driver’s license issuing centers, healthcare service cording to the International Labor Organization providers, and passport issuing centers) and its private (ILO), women contribute 70 percent of working firms (such as banks and airlines) rely on authentication hours globally, but receive only 10 percent of income as e-government and e-commerce applications continue flows.29 Thirty out of the bottom 40 percent of the to grow around the world. population in developing countries are likely to be women. Enhancing women’s incomes is recognized 28 Gelb and Clark (2013). as one of the most effective anti-poverty programs. 29 The Guardian, “Is Empowering Women the Answer to Ending Pov- The money transferred to women is spent on nutri- erty in the Developing World?” (2013) at http://www.theguardian. com/global-development-professionals-network/2013/mar/26/ tion, education, and clothing for the family, directly empower-women-end-poverty-developing-world (last accessed impacting poverty. May 10, 2014). 16 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA FIGURE 7: Sample Use Cases of Digital Identity Public Sector • Driver’s license • Passport • Healthcare • Safety nets Digital • Taxation Identity Private Sector • Financial Services • Business Registration • Property Registration • Transport Services • Mobile Transactions Source: World Bank analysis. Authentication requires iron-clad provisions for inherent constancy, poses larger security risks to a fraud protection and high reliability and necessitates user.30 Related to such risks is also a determination of additional considerations in the case of biometrics. At liability. In traditional authentication, the organization stake is the confidence of users in an identity system issuing the service, such as a financial service provider, and in an electronic model of service delivery and assumes sole responsibility and liability for wrongful transactions. The use of biometrics poses additional authentication or for misuse of digital information, such risks in terms of authentication. Digital authentica- as a PIN or password. In cases where a government tion, when achieved through PINs, passwords, or SIM agency collects biometric information and potentially cards, relies on the inherent ability of these mediums provides identity services, the ownership and delin- to change. For example, in the event of fraud, users eation of liability, protection of user information, and are advised to promptly change PINs or passwords. mechanisms for redress have to be clearly spelled out A compromise of biometric information, given its and governed by law. 30 M  itigation measures may involve using advanced technology to ensure that biometric templates are dynamically generated from a live person, instead of from a stored file, which may have been injected by a fraudulent event. How Identity Management Works 17 III. Developing A Digital Identity Program As discussed in Section I, digital identity is an import- The Functional Building Blocks FIGURE 8:  ant infrastructure for any modern society. As such, in an eID System it is the government’s responsibility to assure the development of robust, secure, and comprehensive Policy and Institutional programs that are capable of meeting the country’s Regulatory Framework and Issues Governance identity needs, now and for the foreseeable future. Setting up the correct identity program is a complex process with risks and challenges. Luckily, the world- Trust, Privacy wide experience in this domain is now rich and can and Security supply lessons learned on how to develop an eco- nomically viable and a risk-managed eID program. Operational Based on this body of experience, we will highlight in Technology Processes and what follows the types of decisions that policymakers Controls should expect to make; furthermore, we will identify the more critical components that have to be estab- Source: World Bank analysis. lished in order to launch an identity program on a national scale. In discussing the overall framework of eID, the issues Before a government commits to an eID program, that arise can be grouped under five functional building it should conduct an assessment of identity manage- blocks (see Figure 8). ment within the country, in the context of its cultural, political, economic, and development landscapes, to III.1 Policy and Regulation determine a go or no-go decision on eID. The analysis may include an examination of the Use Cases (such The first step is the adoption of a vision, at a Cabinet as healthcare, safety nets, or financial services) to be level, for the pathway towards a national eID. At this considered for eID; user eligibility (determining, for stage two distinct options emerge:31 a top-down or a bot- example, what groups are eligible for eID: citizens, tom-up approach, as discussed in Section I and summa- residents, foreigners, etc.); and the feasibility of safe- rized in Table 5. There are pros and cons related to both guards for human values in the country’s then state of approaches and a decision can only be made after care- development. Once a go decision is supported by such ful analysis of the fact patterns specific to the country’s an examination, the government can implement the steps needed to realize eID in the country. 31 In this Section, we use the terminology of Gelb and Clark. Developing A Digital Identity Program 19 Table 5: Pathways to National Identity Depending on What is Developed First Development Priority Description Advantages/Disadvantages Foundational to Top-down identity regime: A country first develops a Advantages: Functional general-purpose identity platform, which is designed • A true infrastructure for the country. to support all the identity Use Cases expected down • Aligned with national vision of the country. the line. It focuses on the enrollment under the framework of “enroll once and be identified for life.” • Avoids multiple registration and redundancy. The expectation is that, once identity becomes • Supports many Use Cases and innovation. a supplied commodity, an entire ecosystem of • Provides economies of scale. applications, not even imagined initially, will emerge; Disadvantages: as such, this approach views eID as a true general- purpose infrastructure. • Requires multi-stakeholder coordination. • Slower to launch and take up, since immediate applications may not drive it. Examples: India, Nigeria, Malaysia, Pakistan, South Africa, Kenya. • Requires sustained political will. • Could be vulnerable to changing governments. • Could potentially be more costly initially. • Development returns are realized on adoption and use. Functional to Bottom-up identity regime: A country begins with Advantages: Foundational a system that addresses the needs of a very specific • Easier to launch without multi-stakeholder coordination. application of identity (e.g., identification of vulnerable • Lower initial cost, since focused on one specific application. populations or healthcare recipients). Over time, such a system can evolve and merge with other functional • Faster adoption, since driven by a champion and an programs, then migrate towards a universal identity immediate application. regime in phased steps. Disadvantages: • Difficult to evolve to multisector foundational identity in the Examples: Ghana, Ethiopia, Afghanistan, Colombia, long run. Venezuela, Vietnam. • Prone to creating fragmented identity space, with multiple overlapping and incompatible identity systems in a country. • More costly to add additional applications. • A higher level of inconvenience to people, since they may be required to enroll multiple times in multiple programs. needs, timelines, budgets, political will, institutional needs of the ministry that is driving them, and their readiness, cultural and demographic composition, the success is not necessarily measured in their theoretical state of the legacy civil registration system (birth regis- ability to work with other external or national systems tration), and the government’s overall vision relative to many years down the line. Nevertheless, functional the role of identity. In Section I, we mostly discussed the approaches have some advantages: often, a single gov- foundational approach; here we compare the two. ernment agency presents a clear and immediate need Generally speaking, the biggest risk of a functional for identification and acts as a driver and a champion for approach is fragmented and overlapping, or, even worse, the system from day one, which improves the chances incompatible identity systems, which can be costly to of success. This advantage of the functional approach harmonize down the line. International standards could is in contrast to the foundational one. A foundational be used early on to mitigate such risks and to improve approach requires sustained political will during the the odds that the multitude of functional systems will initial enrollment phase to encourage take-up and interoperate down the line. In practice, we have yet to participation by the population in the absence of clear see this approach succeed on a large scale. Functional Use Cases at that early stage. Assuming that this can programs are typically focused on serving the immediate be achieved, the foundational approach offers more 20 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Table 6: Legal and Policy Matters that Need to be Investigated in Planning an eID Program Area of Inquiry Goal Issues to Investigate Legal Authority Determining if there are any • Does the government have the appropriate authority to implement each of legal show stoppers to proposed the tasks under the proposed eID program, including requiring its people to identity system provide personally identifying information such as biometrics? • What are the boundaries of authority when it comes to collecting, storing, archiving, accessing, using, disposing of, and modifying identity data? • Does paper identity equal electronic identity? • Which authorities can collect identity-related information? • What legal protections are afforded for validation or authentication, including with use of biometrics? Protections of Rights Establishing what is required • Identity bill of rights. of People to earn the confidence of the • Privacy rights. population • Data rights and ownership. • Anti-discrimination. • Anti-surveillance. • Recourse for abuse. Pro eID Policies Leveraging enabling policies to • Recognition of eID as a new legal category. promote eID • Use of digital signature. • Policies that promote eID as a trusted platform for interactions between people and their government, as well as for general trusted commerce. • Long-term ICT development policies. attractive benefits. For example, it provides a universal will go a long way in allowing this new form of identifi- infrastructure that can encourage innovation in uses and cation to be adopted and used. We discuss this topic in can be leveraged over time to address an ever-increasing further detail under the section of Trust, Privacy, and number of applications, hence achieving an economy of Security below. scale, even if the development returns may be slower. During the legal review, attention should be given to Once a vision for a national eID is established, a the broader ICT policies and regulatory environment. comprehensive legal assessment is needed to clarify the eID is an integral element of ICT and could benefit from current situation and to identify gaps in the three basic policies that aim, in the long term, to promote modern areas of inquiry, listed in Table 6. In most countries, and effective ICT infrastructure in a country. For exam- existing legislation that would impact identity and eID ple, policies that aim to provide more connectivity and is scattered throughout many different legal acts and online access to everyone, improved digital education regulations—including those pertaining to electronic and training, and incentives for the private sector to communication and commerce, electronic signature, participate in the development of ICT infrastructure in data protection, and privacy—market regulation laws, the country could also positively affect eID development. and even the constitution. Many of these legislations may have to be amended and new laws may have to be III.2 Institutional Framework enacted to fill in identified gaps. and Governance Ultimately, for eID to realize its adoption potential, it should be based on a sound legal environment, but it i. Institutional Arrangements should also ensure that it is a safe and secure means for transacting with adequate provisions for ensuring the Though identity management benefits several govern- privacy of consumers. Building trust with the public mental agencies, especially when it comes to functional Developing A Digital Identity Program 21 Table 7: Possible Institutional Arrangements for the National Identity Authority Organizational Type Examples Autonomous with Direct • India: the Unique Identity Authority of India was set up as an organization attached to the Planning Cabinet- or Executive-Level Commission of India, reporting into a Chairman who has the stature of a cabinet minister. Reporting • Ghana: the National Identification Authority of Ghana was set up as an organization within the Office of the President. Autonomous Governed • Nigeria: the National Identity Management Commission (NIMC) was established as a Commission through an by a Board Representing Act with the mandate to establish, own, operate, maintain, and manage the National Identity Database, register Stakeholders persons covered by the Act, assign a Unique National Identification Number (NIN) and issue General Multi- Purpose Cards (GMPC) to those registered individuals, and to harmonize and integrate existing identification databases in Nigeria. It is governed by a board of 18 individuals representing different government agencies and stakeholders. • Pakistan: the National Database Registration Authority (NADRA) is an independent, constitutionally established institution that manages the country’s identity registration database. An Agency or Directorate • Indonesia: Population Administration Directorate in the Ministry of Home Affairs. of an Existing Ministry • Argentina: Registro Nacional de las Personas (RENAPER), is a directorate under the Ministry of Interior and Transportation. programs, developing countries pursue different insti- ii. Institutional Roles: Scope of the NIA tutional models for developing foundational identity in a country. Which government agency takes responsi- The scope of the NIA’s mission requires a careful review. bility for implementing digital identity and how the dis- Identity systems involve the collection and manage- tribution of responsibility is shared across government ment of sensitive data pertaining to a country’s popu- agencies is determined by policy, legislation, and insti- lation. Hence, the responsibility of the NIA should be tutional capacity, among other factors. clearly defined, and should be balanced and managed To start with, appointing a national organization with the aid of other government agencies, the private to coordinate the development of a country’s digital sector, and the identity stakeholders. Strong provisions identity is beneficial. Such an organization should be for the effective governance of the NIA should be put empowered through law and political will, and should in place. At the highest level, five institutional roles demonstrate the capacity to serve as a national cham- need to be assigned for the development of a country’s pion and an effective implementer. We will generally eID. These roles could be grouped, from a data-centric refer to such an organization as the National Identity viewpoint, into three functions: collect, store, and use Agency (NIA). At a high level, the NIA is a central gov- identity data, as shown in Table 8.32 ernment body mandated with implementing the vision Among those five institutional roles, the second is and mission of the National Identity Register (NIR), as often attributed to the NIA and is considered to be its discussed in Section II. The agency manages, shares, core mission, irrespective of the organization’s other secures, and facilitates the use of information related to responsibilities. In this role, the NIA focuses on estab- eID of citizens and of eligible residents. Several options lishing population enrollment data standards, operating exist for the institutional arrangements of the NIA, as the backend systems for de-duplicating identity and presented in Table 7. These include an autonomous ensuring its uniqueness, and for storing and protect- body reporting to a cabinet-level minister or to the ing the consolidated identity information. In this case, executive, an autonomous organization governed by an independent board representing the stakeholders, or a 32  s discussed in Section II, the collect function includes both A directorate within an existing ministry. Additional insti- capturing and certifying an identity. In addition, the use function tutional models, including with PPP, can be envisioned. includes authenticating and updating (or revoking) an identity. 22 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Table 8: The Institutional Roles Required to Affect a National eID Program Institutional Role Possible Tasks • Establish enrollment centers around the country (fixed, as well as temporary or mobile field enrollment units) which people can visit to enroll their identity. Collect Enrollment Agency • Mobilize the population, inviting them to come register their identity; or mobilize registrars to visit populations in their towns and villages to register them and collect information. • Capture the population’s identity data into eID profiles. Central Data Store: • Establish, own, and operate the country’s national repository for identity data. • Guarantee the uniqueness of individual identity through the deployment and operation of backend IT systems for the de-duplication of identity records, as well as through procedures for the adjudication required to resolve matches. • Attribute a unique number to each identity (UIN), where applicable, fixing an identity for life. • Secure and protect the population identity data against unauthorized access, corruption, fraud, and misuse. • Update/change/terminate eID profiles based on need. Standards and Interfaces: Store Central Repository • Define the standards for enrollment data types and formats, quality, and processes related to the registration of eID profiles. • Define the pathway for total enrollment coverage (inclusive) of the entire population, either as a standalone organization or as part of a collegial cooperation strategy involving other stakeholders in the country’s identity ecosystem (“the registrars”). • Establish the standards for identity vetting through links to the civil registry (birth and death registers) or through procedures for identity proofing. • Certify the registrars. • Set the standards and specifications for the ICT infrastructure required for secure access to the NIR for the purpose of identity verification. National Identity • Personalize and issue physical National Identity Cards to every registered person. Card-Issuing Body • Manage the National Identity Cards throughout their life cycle. (Optional) • Establish and operate a platform for identity verification and identification services that allows individuals to assert their identity and be authenticated online. Identity Service Provider • Assure the long-term value of the NIR by working with all government agencies concerned, as well as Use private sector enterprises (banking, healthcare, transportation, etc.) in order to meet their identity needs and to promote continued adoption of the platform. In the event that eID is built on PKI, this needs to be established or outsourced to private entities. Credential and • Issue eID digital certificates and credentials to each registered identity. Certificate Authority • Establish and operate a Certificate Authority (or equivalent). • Establish and operate the identity directory. the NIA is essentially a back-office organization; it can operations or as part of special mass-enrollment cam- remain fairly small in its head count and is limited to a paigns. There are broadly two models for registrars: central head office. they may be members of select government agencies, Enrolling the population (as shown in the first insti- or members of the NIA. In the first model, government tutional role above) can be done by registrars, following agencies may be selected to serve as registrars that have a national standard established in coordination with technical capacity and a distribution network throughout the NIA. The registrars can collect information from the population, such as the Civil Registry, the Ministry of their customers, either in the normal course of their Health, the Ministry of Social Welfare, etc. Based on an Developing A Digital Identity Program 23 Possible Institutional Framework Showing a Collegial Cooperation Strategy FIGURE 9:  between the NIA and the Registrars ABIS UIN National Identity Authority Population Touch Point Registrars Social Finance Labor Police Civil Welfare Applications of Segment Poor and Formal and Passports and Pensioners Identity Card Covered Vulnerable Informal Sector Residence Applicants Permits Know Your Customers Databases 756487 453628 756487 372834 448594 674636 745360 356483 456283 574983 Source: World Bank analysis. Note: For example, a Social Welfare organization could collect biometric enrollment data as part of its door-to-door poverty survey using the NIA standard. The survey data needed for establishing the poverty score of a household would be retained in the information systems of that ministry, while the biometrics, if collected, would be sent directly to the NIA for de-duplication, issuance of a UIN, as applicable, and registration of the identity in the NIR for use by any other approved application, including the ones run by Social Welfare. established government policy, the registrar may collect second model, the role of the enrollment agency is added information broader than the minimum set established to the NIA. Here, the NIA would have to build the geo- by the NIA for its core mission. It could include data for graphical footprint required to achieve total coverage. In Know Your Customer (KYC) purposes specific to the such a case, it would have to establish and operate enroll- needs of individual government agencies. The registrar ment centers or regional offices in addition to its central would submit only the core identifying data to the NIA, head office. This is obviously a different type of institution, retaining the rest for specific KYC databases (see for and its establishment and management would require a example Figure 9). The coordination among registrars more complex operating plan and a significantly higher would be done according to the collegial cooperation budget. Of course, a hybrid model is also possible, where plan for total enrollment coverage developed by the NIA. the NIA captures minimal data needed for its operations, With such plan, several relevant government institutions while other government agencies capture their own data, can contribute to the data collection effort by leveraging on a different timescale or lifecycle, and maintain their their existing customer-facing infrastructures, including own databases. These databases could be interlinked by human resources, field offices, and ICT platforms. In the a UIN. Additional scenarios may be considered; people 24 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA FIGURE 10: A Potential Governance Structure for eID at a High Level Cabinet Steering Committee National Identity Agency Executive Financial Risk and Independent Committee Management Compliance Auditor Committee Committee Source: World Bank analysis. may be expected to appear for registration at a registra- identity stakeholders. It provides the strategic ori- tion office, or registrars may visit different towns and entation for the NIA and is responsible for the de- villages to register people and to collect data. velopment of eID policy. During the implementa- Equally important is the decision on how the roles tion phase, the organization ensures the supervision pertaining to the use of identity are distributed. An orga- of the project roll-out. During the operational nization may need to issue and manage national identity phase, it serves as the committee that sets the ongo- cards. In addition, the same or another organization ing eID objectives, priorities, and performance tar- may need to provide identity services that allow regis- gets, as well as determines the funding require- tered individuals to assert their identity and be verified ments and the business model. It evaluates the or identified online. Lastly, for the eID to realize its full performance and supervises the utilization of funds. potential, digital credentials need to be managed. This The body reports to the cabinet, a sponsoring min- means establishing identity services, as discussed ear- ister, or the executive, on all matters related to eID lier, and may include the establishment of a full-fledged and the country’s identification requirements. The CA, or equivalent authority, in support of the adopted Chairman of the committee is typically appointed institutional framework. by the head of state (the president or the prime minister). iii. Institutional Governance for eID ◆◆ Executive Committee: This is the body that sets In a data-centric world, where eID uses and gener- the overall NIA strategy and objectives in line with ates data, the role of any organization that deals with the requirements of the Steering Committee and identity grows in importance over time, as more data ensures that the organization delivers according to accumulates and the dependency on eID increases. the strategy. It also sets accountability measures and In order to maintain checks and balances over such controls within the organization. It consists of the organizations, a robust multi-layer institutional gov- most senior body of individuals within the NIA that ernance structure is needed. are responsible for managing operations. One such structure is shown in Figure 10 at a high level and consists of multiple specialized committees ◆◆ Financial Management Committee: Oversees and as follows: manages planned capital and operational funding usage. Monitors the financial performance metrics ◆◆ Steering Committee: This is a high-level oversight for the NIA. organization with representation from multiple Developing A Digital Identity Program 25 ◆◆ Risk and Compliance Committee: Ensures that players could seek to participate in the investments risks are identified, assessed, and mitigated in a rea- required to put in place the necessary infrastructure and sonable and coherent manner for the whole solutions for eID, in order to register and issue creden- program. tials to the population. The public and private entities could decide on a model for the return of investments ◆◆ Independent Auditor: This is a critical component made by the private sector, including through a per-card of the NIA’s institutional governance. It is typically charge,33 as identity cards are issued over a long contract put in place to ensure that the eID program delivers period, or through charges for identity services. on its mission within the framework of the legal act In order for PPP schemes to attract private sector that led to its creation, while respecting the applica- participation, good policy and credible incentives are ble human and citizen rights. It is the body that en- needed to offer an enabling environment with a level hances the trust in the organization and its indepen- playing field, a competitive marketplace, and a deter- dence has to be a high priority for the government. ministic model for the return of investment. The government may require a regulatory body to have direct oversight of the eID program’s operational phase. III.3 Technology iv. Public Private Partnerships (PPPs) for eID An eID system is built by putting in place several technol- ogy solutions. Technology strategy thus plays a crucial While the ultimate responsibility for the development role in the development of eID in a country; dimensions of a foundational eID program lies with government, that come into play include cost, capacity, interoperabil- participation of the private sector can be helpful in ity, usage, security, privacy, and long-term viability. securing implementation success and sustainability. The As discussed in Section I, an eID includes several private sector is a user of identity programs, such as for technology-based solutions: banking or healthcare services, and is thus an identity stakeholder. Developing and implementing a well-func- ◆◆ Biometrics: Biometrics offers the technology to tioning national program for eID requires significant uniquely identify or authenticate an individual by technical expertise, which may be lacking within the electronically capturing a face photo, fingerprints, or government. The long-term viability of eID requires an individual’s iris. institutional efficiency, which can oscillate within a ◆◆ Electronic databases: Electronic databases offer a government agency over time. Private sector institu- way to electronically store identity data and make it tions can thus play an important role in balancing the available for online or mobile usage. Electronic stor- government mandate of a national eID program while age of identity data also allows data to be recovered boosting operational efficiency. In addition, the private when faced with natural or man-made disasters. sector can act as a service provider, to which imple- menting government agencies could outsource some or ◆◆ Electronic credentials: Electronic credentials, such all of their operations, on a competitive basis, including as smartcards or mobile phones, offer a way to elec- for data capture and office or project management. The tronically authenticate the identity of a person for private sector companies can also serve as suppliers of in-person, online, mobile, or offline services. consumables (card stock, ink, smart chips, etc.), equip- ment (computers, biometric scanners, cameras) and 33  or example, in the United States, Departments of Motor Vehicles F can be system integrators or total solution providers. in different states establish long-term contracts with private sector They can play a role in the longer-term operations and companies (typically five to 10 years in length). These companies put in place systems to issue drivers’ licenses at their own cost maintenance of the eID program for the government. and they, over the period of the contract, return their investment Given the nature of an identity issuance operation from the per-card charge they are allowed to keep as part of the overall fee they collect from the applicant. The rest of the fee is over the long term, a national eID program could be given to the state. These PPPs have become very successful revenue structured as a PPP. Within this model, the private sector centers for the states. 26 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA ◆◆ Mobile, online, and offline applications: Digital ap- plications, when linked with eID, offer new products In selecting a solution, the overall identity and services to consumers, available in-person, on- system should work with any mix of equivalent line, offline, or via mobile. components from different suppliers. The implementing agency should be able to An important part of the technology strategy is an easily replace backend matching engines, assessment of a country’s underlying, enabling tech- biometric capture devices, or any other nology infrastructure. High-speed Internet is often a elements seamlessly, without jeopardizing necessary requirement for an online identity solution. the operations of the overall system. Systems Many developing countries, particularly in Africa, are should be based on open standards at all still working to develop and deploy high-speed Internet. levels—biometric or IT. The degree of penetration of smart devices in a country— in the form of smartphones and tablets—determines the potential for mobile identity and mobile applications. A strong domestic IT industry is needed to provide the An identity system has to be based on a design that is human capacity and the products and services that can flexible enough to meet the country’s needs into the benefit from digital identity. Electronic banking and foreseeable future, independent of the vendor that ini- financial services require the availability of a financial tially delivered the solution and the specific technology infrastructure—such as a national payment system, upon which it was built. POS devices, ATMs, agent networks, and payment net- Vendor and technology lock-in is an important consid- works—to benefit from eID. eration, since identity systems tend to develop a network A determination also has to be made as to whether an effect, i.e. they increase in size and value as more people online or offline mode of authentication is to be adopted. enroll and more governmental and non-governmental An online approach offers a higher degree of robustness programs depend on them. This dependency—whose and reliability, but also requires a more robust com- effect is often seen at the time of contract renewal, in munications infrastructure. An offline approach offers the form of the incumbent or legacy system advantage— greater flexibility, especially in remote and rural areas, makes it harder (or more costly) to migrate from one though it poses potential gaps in reliable authentication vendor or technology to another. and suggests some costs for proliferating relevant cre- In order to protect against such risks, the implement- dentials for offline use. ing authority needs to ensure that its identity system is Many of the technical components revolve around “vendor neutral” and “technology neutral,” by putting identity data, including technology for capturing, in place a set of design elements for the architecture, encrypting, transmitting, storing and using this data a sample of which is provided in Table 9. These are to identify and verify the identity of individuals. In intended to be applied as requirements during the pro- this section, we present an overview of some of the curement process. more critical technology elements in this field as The ultimate goal is to promote the emergence of an we highlight the choices that lie ahead and consider identity ecosystem in the country, which allows many the importance of creating the right environment, vendors, products, solutions, and technologies to con- in which technical and vendor dependencies can be tinually compete on features, performance, and price. effectively managed. Identity is an important national asset and it needs to be served by a healthy and robust market that offers i. Creating the Identity Ecosystem: Mitigating choice, rather than by one that is dominated by a single Network Effects or a handful of vendors. Devising a prudent technology A first step in the technology strategy for eID is to strategy should be a priority for any country that sees design an open architecture platform that protects identity as an infrastructure to be protected through against lock-in due to a specific vendor or technology. informed regulations. Developing A Digital Identity Program 27 Ensuring the eID System is Open and Does Not Suffer from Vendor Lock-in Table 9:  or Technology Lock-in Requirement Description Modularity and Open The total solution should be built as a collection of modules, or subsystems, each performing a well-defined Architecture identity task and having an open interface. In the language of Service-Oriented Architecture, the modules represent specialized services that are easy to orchestrate into total solutions using standard IT integration and open architecture methodology. Applicable Standards: • All communications between modules should be subject to accepted international open interface and security standards, as specified in ISO/IEC 7498 family and the standards referenced therein. COTS, Scalability, • The hardware and IT platform should be based on Common Off-the-Shelf (COTS) modules, including computer Reliability, and servers, storage devices, and all ICT components. Availability • Scalability: the system should be designed to easily scale up for national coverage through the straightforward addition of more hardware and software. • Reliability: the system should be reliable, with high-quality performance and minimum or no down-time. • Availability: the system should be easily available for coverage in urban and rural centers. • The implementing agency should be able to second-source every element (i.e., procure each element from multiple vendors). Certified Biometric Biometric capture devices, if used, should be certified for image quality and should have standard interfaces to allow for Capture Devices their plug-and-play interchangeability. Applicable Certification: • US FBI Appendix F for livescan 10-print fingerprint scanners or its equivalent US NIST Mobile Profile 60. • US NIST Mobile Profile 45 for two-print fingerprint scanners. • US NIST PIV for single-finger scanners. Applicable Interfaces: • BioAPI standard family (ISO/IEC 19784, 19785, 24709, 24708, 29141). Standard Identity and • Identity data should be in a format based on the internationally accepted standards for electronic data exchange. Biometric Data • No portion of the data should be proprietary or vendor-encrypted, and all data should be accessible (reading, writing, Formats querying, etc.) through standard IT protocols without vendor intervention. • The biometric data, if used, should be stored as raw images (compressed for transmission, as allowed by the standard) from which the proprietary templates of any algorithm can be generated. Having the biometric image data ensures that migration to a new vendor template is possible. • On smartcards, if used, proprietary 1:1 verification templates should be avoided; instead the interoperable template format (so called MINEX template) should be used. Applicable Standards: • Biometric data formats: ISO/IEC 19794 (parts 1 to 10) or the equivalent US ANSI/NIST-ITL-1-2007 and 2008. • NIST INCITS 378 for verification template interoperability (so-called MINEX certified). ii. Linkage with Civil Registry or Use of Biometrics The first method uses a set of controls and proce- One of the important requirements of an eID system dures for civil registration to ensure that every birth is to establish the uniqueness of an identity before it is is well-documented as early as possible. A robust civil issued a credential, if any. There are a couple of ways in registration process can link each individual to a unique which this can be achieved: entry in the register. Given the state of civil registration in many developing countries,34 establishing uniqueness by ◆◆ Verification of uniqueness of entries in civil regis- 34  NICEF reports that up to 40 percent of children are not registered U tries; or at birth in developing countries (compared to 36 percent worldwide). “The ‘Rights’ Start to Life: A Statistical Analysis of Birth Registration.” ◆◆ De-duplication using biometrics. New York: The United Nations Children’s Fund, UNICEF 2005. 28 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Table 10: Factors to Be Considered in Selecting a Biometrics Set Criteria Description Accuracy Provides adequate 1:N accuracy such that each individual can be identified unambiguously from the population. This is the resolving power of the biometric set. The more biometric data is available, the higher the resolving power. Inclusion Ensures that everyone is able to provide some biometric sample, including those that represent challenges for certain modalities (e.g., children, manual laborers, or amputees that typically challenge fingerprints) but seem to be fine for face or iris scans. Flexibility Necessary to support the diverse Use Cases during the lifetime of the program. For some applications, fingerprints are ideal (mobile), while for others it may be face or iris (electronic gates). relying exclusively on civil registration may not be feasi- of the multi-biometric set should be measured against ble. Governments may have to heavily invest in digitizing the three criteria, shown in Table 10. Generally speak- historic civil records, capturing future civil information ing, this set needs to have sufficient accuracy to resolve electronically, and establishing the institutions, systems, each individual from the entire population, it should be and processes for a civil registration system to efficiently inclusive in that everyone can provide some biometric function. The second method, as given by biometrics,35 sample, and it should be flexible enough to support any offers an alternative to the civil registry and can be Use Case envisioned. instrumental for establishing uniqueness and for the The amount and type of data to be captured should de-duplication process, as was described in Section II. be governed by policy. A mass initial enrollment is a Governments may consider establishing a strong civil sizeable exercise, and is likely a single opportunity to registration program, or using biometrics for identifica- capture the population’s data. The policy of collecting tion. Both options present pros and cons. In the case of more data has to be weighed against the cost (including developing countries, especially in Africa, biometrics the cost of equipment, time, and labor) and the incon- offers an attractive way to expeditiously enroll, register, venience caused to people due to a heavy process. As a and authenticate people, and allows a country to develop consequence, the NIA working with all the stakehold- a reliable and robust identification system, albeit one that ers needs to arrive at a minimum set of biographic or comes with important considerations of cost, capacity, biometrics to be included in the Core Identifying Data security, and privacy. Governments aiming to pursue a (CID) that could satisfy the above three criteria. For civil registration route should consider a detailed strategy example, this set could consist of six fingerprints as well and implementation plan. as a face photograph for a program that might cover up In case the government decides to use biometrics for to 50 million people. In other environments, such as, for identification, the type of biometrics most suitable for the example, India, it is necessary to capture 10 fingerprints program needs to be determined. Note that biometric in addition to two irises, in light of the large size of pop- technologies are used not only for the de-duplication ulation (1.2 billion people in India). process (1:N matching), but also for authentication (1:1 matching), where a claimed identity is verified at the time it is asserted or used. Today, the three most mature 35  NA is the ultimate ground truth of human uniqueness (modulo D and effective types of biometrics that can be used, both identical twins). However DNA for the foreseeable future is un- for 1:N and 1:1 matching, are: fingerprints, the iris, likely to offer an ethically acceptable and technically viable solution for large-scale civil identity programs. and the face.36 In practice, a multi-biometric strategy 36  Other technically mature modalities are voice and 3D face, but (as opposed to uni-modal) can be helpful for the core those do not truly support large-scale 1:N de-duplication and hence they have not had utilities in civil identity registration, even though identifying information, where a combination of these they are useful for 1:1 verification applications, such as access over three modalities is used. Ultimately, the specific choice the phone or through a physical portal. Developing A Digital Identity Program 29 Capturing Biometrics of Children Capturing biometrics of children is a challenge. The papillary ridge structure of fingers does not develop before the age of six, which means no reliable identifiers can be extracted from children’s fingerprints before that age. Above the age of six, fingerprints continue to change with growth until adulthood. But that variation is predictable and is compensated for by some of the leading AFIS software. Some countries, including the European Council (Presidency meeting document 9403/1/06), use 12 years as the minimum legal age for capturing fingerprints from children. An alternative could be to capture iris, which is a biometric that is fully formed in the first year after birth, and seems to be practically feasible to capture down to five years without any challenge and down to one year with significant assistance of mother noted. In any case it is always a good policy to capture a face starting from birth, even though it is not as accurate as a finger or iris and the photo would have to be updated over time. In deciding the final set of biometrics, special attention It is recommended that a biometric-capture feasibility needs to be given to their capture from segments of the study be performed early on to assess the scope of the population that may represent exceptions. These could challenge within the country’s diverse population. The be: individuals that cannot physically provide an accept- study can recommend the right mix of choices among able biometric and hence represent a technical challenge the ensemble of exception-handling measures that is to the capture process; or individuals, who, because of most suitable for the requirements of the country and religious or cultural constraints, represent a social con- its budget constraints. sideration to enrolling biometrics. In the first category, The cost of exception handling for biometric-capture the most important groups are manual laborers—whose among children has, in the past, led countries to decide to fingerprints tend to wear off from excessive use of their only enroll the adult population. For example, Indonesia hands—and children, whose fingerprints are not fully enrolls individuals over the age of 17 in its e-KTP pro- developed or undergo changes with development; as gram,37 which captures 10-print fingers, the two irises, well as the disabled or amputees. These challenging cases and the face. Children are required to be registered require adopting exception-handling protocols (which under a parent or guardian (typically mother) until the may be relevant for 1 to 2 percent of the population) in age of 17, when the children attain their own record order to ensure total inclusion. Exception handling for and are de-duplicated as a unique identity and issued biometric capture may include the use of: their e-KTP card. The approach offers benefits but may not be ideal for every application. For example, in areas ◆◆ newer fingerprint scanners based on thin film imag- such as healthcare, there is a need to identify children ing devices (e.g., Light-Emitting Sensors) instead of individually, so as to assure the follow-through required optical sensors; in certain vaccination and treatment programs. ◆◆ fingerprint conditioning materials (gels, alcohol, etc.) A comparison of the different types of biometrics is to improve the finger image contrast on the scanner; presented in Table 11. In summary, a policy must be developed specifying ◆◆ membrane coating of scanner platen; what biometrics are required, if any, by age group and spelling out the exception-handling procedures as part ◆◆ multi-biometrics: when finger is not feasible, the iris and/or face can supply an adequate alternative, or other forms of biometrics could be used. 37 See the official website of the e-KTP program http://www.e-ktp.com/. 30 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Comparison of the Most Mature Biometric Modalities Commonly Used in Civil Table 11:  Identity Programs Finger Face Iris Available Number 1-10 flat fingers 1 2 Capture Scanner Cost Low to Medium a Low b Medium to High c Ease of Capture High High Low to Medium Computing Resources Needed Medium to High Medium Low for De-duplication • Most intensive among all biometrics Iris-matching algorithms are the • Requires high-end computer cluster most efficient, consuming least with large memory computing resources Adjudication Requires a trained fingerprint Any human can compare two Determining if two irises match is examiner faces not possible via the naked eye Accuracy Very High Low to Medium Very High when 10 prints are used when 2 iris are used Failure to Acquire <1–3% 0% ~1–2% Children • < 6 yrs. finger ridges may not be All ages • Down to 5 yrs. of age, possible useable identifiers without parental assistance • > 6 yrs. to adulthood useable wt. • Below 5 down to 1 yr., special software that compensates challenging and requires changes parental assistance • Below 1 yr. of age, iris may not be suitable Manual Laborers Challenge No problem No problem Costs are assessed as follows: 10-print scanner (approximated at US$500–US$750), 2-print scanner (approximated at US$200–US$250), a  and 1-print scanner (approximated at US$5–US$40). Using inexpensive webcams. b  Cost of iris camera is assessed at US$500–US$1000. c  of the NIA mission. This policy is informed by technical, players worldwide. Using open standards requirements, cultural and human usability factor studies relevant to as discussed above, should help in developing an effective the country. technology solution. In addition to the choice of the type of biometrics, iii. Choice of Identity Credentials several technical decisions have to be made regarding the capture devices and the ABIS/AFIS backend systems The NIA may issue a physical identity credential needed to perform the de-duplication. The global market though it is not required to do so. The organization’s for these technology components is robust and has many responsibility could be limited to the generation of a Developing A Digital Identity Program 31 Table 12: Cost and Security Tradeoffs for the Different Credential Media Card Type Description Security No Physical Identity is asserted through the UIN (printed on some Offline: no mechanism is provided. Credential low-cost medium). Online: authentication via online identity services. (zero cost) Low-End Cards Such as cards printed on PVC, Teslon and other low-cost Offline: can support a reasonable set of physical security (low cost) substrates. Can contain the UIN in a magnetic strip, features that give moderate protection against forgery. which serves as a data pointer to the central identity Online: pointer in magnetic strip could connect identity to record in the NIR. online identity services for authentication. High-End Cards Includes single-as well as multi-application smartcards Offline: can support a high degree of security using laser (high cost) on a high-end durable medium such as polycarbonate. engraving personalization, which is harder to forge. Offline Electronic: using a smartcard reader, which reads the data on the card and verifies against the live person (verifies biometrics, or requires PIN) without needing to reach a central database online. Online: In the absence of a card reader, the card can serve as a pointer to an identity record and identity can be verified via the online services. Mobile Credential The credential is carried on a special SIM on the mobile Offline: no natural mechanism, unless an application can be (low cost) or smart phone.a used to securely read the credential on the phone along with a mechanism for strong authentication. Online: credential can be authenticated through online services using strong authentication with or without biometrics. a Note that a dedicated SIM is not needed. UIN, as applicable, and the associated digital certifi- and operating secure card issuance systems that include cates and credentials. These digital assets can be subse- printing and engraving. The third is the ongoing cost quently used by other government agencies, which can required to manage and keep up-to-date the population optionally incorporate them into the physical evidence of cards in circulation. of identity with which they equip the sector of the pop- The emergence of online identity (identity in a cloud) ulation they serve. as well as mobile identity can provide some cost-effective Whether the identification is multi-purpose (founda- alternatives. In the long term, physical ID documents tional) or functional, the choice of credential is signifi- may persist, but the availability of the purely digital alter- cant, since it could be costly. The cost consists of three natives places a cap on how much one should spend per elements: ID card. Table 12 shows a comparison of four different mediums for credentials, focusing on cost and security ◆◆ Cost of the medium (the cards) trade-offs for offline and online transaction purposes. At one end, a government may opt for no physical ◆◆ Cost of the Personalization and Issuance Systems credential at all;38 here, identity is verified only online via the identity services run at the NIA. These services ◆◆ Cost of the Card Management Systems would work as follows: a data pointer is used to retrieve The first is proportional to the size of the population served, and hence could be prohibitive for large popu- 38 N  ote that credentials would still be needed for specific functions, lations. The second represents the cost of establishing such as travel (e.g., passport) or driving (e.g., driver’s license). 32 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA the identity record from the central repository, which iv. The Structure of the Unique Identifying is then verified through some mechanism of authenti- Number (UIN) cation, including a PIN or 1:1 matching of biometrics of claimed identity, against what is stored in the central From a data-centric viewpoint, an individual identity database. Alternatively, a government could use a low- may appear in many databases distributed across several cost, non-smartcard with physical security features, government organizations. Those entries are generated which could be used as an offline credential, suitable for in the course of the individual’s interactions with dif- most low-risk purposes. This would be supplemented ferent state functions over time. Absent a foundational by online identity services for when there is a need for identity framework, each database may refer to the a higher degree of trust or for electronic transactions. same individual differently (different number), making At the other end, the government may use smartcards, it harder to link entries pertaining to the same individ- where personal information and digital credentials are ual across multiple databases. With the UIN associated stored securely on an embedded chip. High-end smart- with a fixed identity, the situation can become dramat- cards may not just be a credential to vouch for identity ically different. The UIN may be supplied to all govern- but a secure platform to deploy applications needed ment agencies for incorporation into their databases, by different govern- ensuring a holistic ment sectors. In this view of the individual case, smartcards are Under all circumstance one should by linking fragmented an enabler of new ser- keep in mind that, in a data-centric identity information vices and those Use world, what is fundamental is not across different data- Cases could justify the bases. This unified added cost. One unique the id card, but the identity data, view can help agen- capability that is attrac- which can be leveraged by storing cies improve their tive about smartcards it on various media depending service delivery and is their ability to pro- cut down on fraud. It vide an offline identity on needs and budgets. has significant value authentication mecha- in streamlining the nism through the use of card readers. Smartcards entail administrative functions of government. Hence, the higher costs and require a card reader infrastructure issuance and utilization of the UIN is recommended, (such as POS) for use. though has to be considered in light of potential pri- Mobile devices are emerging as a potential contender vacy risks caused by such a construct. for carrying digital identity. They have tremendous cost To decide on the structure of the UIN, a technical and convenience advantages, since they are already in analysis is often needed. This includes deciding if the the hands of many consumers and do not require yet number codes certain immutable information about another physical item, such as a smartcard. This type its bearer or not; and if it does not, whether it will be a of identity credential has the potential to gain a strong serial number or a completely random number. As can footprint in the future worldwide. be seen from Table 13, some countries have opted to In the end, how a population is credentialed is code information such as gender, date of birth (DoB), informed by an examination of the identity needs in all district of birth, etc. There are obvious advantages to sectors and is impacted by the current state of develop- such coding, but also potentially some dangers. For ment of the country’s ICT infrastructure. Countries with example, the UIN can reveal information that could be strong connectivity and communication coverage can used for discrimination, profiling, and social exclusion. take advantage of online services to provide the authen- This is of particular concern in an eID context. Service tication and trust, while for those where connectivity providers could decide to price their services or restrict is not consistent throughout the country, smartcards their availability, depending on certain digits in the become indispensable for offline identity verification. UIN. In addition, a structured number makes it easier Developing A Digital Identity Program 33 Table 13: Examples of UIN as Implemented by Several Countries, Showing the Number of Digits and the Information Coded Country UIN Name Digits Information Coded Gambia National Identification Number (NIN) 11 Place of birth; Place of issuance; Nationality Nigeria National Identification Number (NIN) 11 No apparent code South Africa Identity Document Number 13 Date of birth; Gender; Citizenship India Unique ID Number or Aadhaar 11 None, Totally random Indonesia Nomor Induk Kependudukan (NIK) 16 Date of birth; Place of issuance Pakistan National Identity Card (NIC) Number 13 Gender; Locality Estonia Personal Identification Code 11 Gender; Century of birth Latvia Personal Code 11 Date of birth for fraud perpetrators to guess the number (or at least UIN assigned to the individual’s identity and stored in narrow down the range of possibilities) starting with a the NIR. The PIN can be used to verify the identity of few known facts about its bearer (i.e., through social the bearer in circumstances where biometrics are not engineering). In the United States, the social security practical or are not available. Clearly, this would provide number (SSN) was structured, until it became clear weaker confidence in the identity of the bearer (espe- that in the age of social media, where a lot of personal cially for non-repudiation purposes) and hence would be information is publicly available online, a structured SSN used for lower-risk transactions, in accordance with the is vulnerable to being guessed. Since June 25, 2011, the country’s risk management model. For example, a citi- newly issued SSNs are randomized. Of course, this is zen interacting with a government agency via a mobile relevant only if the UIN is to be considered private, like device may be required to supply his or her UIN and, in the SSN is in the US. addition, authenticate himself or herself by providing In the case where the UIN is to code no information, the PIN, which could be sufficient for requesting rou- a serial number is mildly easier to issue, from a technical tine documents. This is convenient, since it allows this standpoint. It can also give a sense of when enrollment individual to use a mobile device that is not equipped took place, since lower numbers would have been issued with a fingerprint reader, for example. Some countries earlier. But those are only minor advantages in favor of a serial number. Structure for an Uncoded UIN FIGURE 11:  Another basic decision is the number of digits to be Showing the Identifying Digits, the used. The number of digits selected should provide for Hash Control, and the Optional more than enough UINs to comfortably accommodate Security Pin all new births expected for the foreseeable future in the country (on a scale of 50 to 100 years). Typically, this puts the number anywhere between 11 and 16 digits (includ- XXXXX… XXXX C **** ing a control digit), which should be sufficient for most 10–15 Digits Serial or Hash or Personal countries in the world, including all African countries. Random Number Control Identification Digit Number (PIN) On a final note, we should point out that the UIN could provide a mechanism for identity authentication through Source: World Bank analysis. a PIN. This can be implemented by adding some hidden Note: The hash digit (or checksum), is designed to identify common errors when typing or exchanging the UIN (e.g., Luhn checksum digits, say four, to the UIN (see Figure 11). The PIN can algorithm in the public domain and specified in ISO/IEC 7812 standard be set by the individual and can become a part of the pertaining to ID card). 34 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Table 14: Measures and Technologies Used in Identity Vetting Measures Description Technology Linking to Breeder Presenting documentation such as birth certificate, • Document scanners. Documents nationality certificate, passport, driver’s license, • Document readers with automated fraud detection systems voter ID, property title, tax ID, ration cards, ID from (documetrics). recognized educational institution, trade or labor • Forensic analysis. association, etc. Checking External Online validation of the name by checking its • Digitized civil records. Databases presence in external and legacy databases, such • Secure access portal controlled by organizations owning as the register of births and deaths, social security the data. records, tax records, property records, pension • Access privilege to external data by NIA. records, poverty registers, etc. • Ability to query the databases. • Software for entity or identity resolution to disambiguate a person based on text data. Examining Identity In a structured society, the actions of real persons • Identity intelligence software that uses open source to create and Social Footprints leave behind a trail, the so-called life’s audit trail or a body of knowledge around an identity. footprint. • Can use the identity knowledge to establish a test of proof of identity—the so-called challenge response. The real person is the only one likely to answer correctly questions related to his life’s audit trail as extracted from this data. Community Affidavits Testimonials from trusted community members who • Traditional filled-in affidavit forms (offline or online). can act as witnesses to the existence of this person • Oral interviews. and perhaps his/her reputation. This is evolving • Increasingly, access to social media with vetting from friends. into the new domain of social media and online communities. in Africa have reported difficulty in the use of PIN due Robust vetting requires an elaborate process involving to low literacy rates among the population or among its several investigative measures and technologies. This older members. is costly because it involves the collection and scan- ning of evidence, as well as its subsequent examination v. Identity Vetting and validation through mechanisms that could include cross-referencing against external databases (birth or One costly element in an eID program is the vetting death registers, health records, etc.), forensic examination of identity. This is the process of connecting a claimed of breeder documents to ensure they are not forged, and identity to a natural person. It involves establishing docu- interviews with individuals and members of the commu- mentation for use of the name, the DoB, and the address nity (see Table 14). where this identity can be localized. Thus it is important to adopt a detailed policy on what Ideally, all persons should be documented in the civil constitutes acceptable vetting within a framework of risk register at birth or upon entry into the country and would tolerance. This should represent the shared vision of the have been given a secure birth certificate, the posses- government stakeholders as to how to prove identity. sion of which would go a long way in proving that the In one extreme, the example of India, biometric data is person is entitled to the claimed name with that DoB. captured along with minimal biographic information. Unfortunately, in many developing countries, docu- The identity is fixed and from then on is enriched not mentation of proof of identification is lacking, primarily in the NIR but in the databases of other ministries that because of inadequate civil registration,39 and because of the ease with which civil documents can be forged or counterfeited. 39 See UNICEF report Opt. Cit. Developing A Digital Identity Program 35 take upon themselves the responsibility of vetting the III.4 Trust, Privacy, and Security data they need for the conduct of their specific mission. For example, a passport agency would need to establish The establishment and operation of an eID system nationality before a passport is issued. A department of requires putting in place an elaborate set of safeguards motor vehicle agency needs to validate that an individual that fall under the heading of trust, privacy, and secu- is fit to conduct a vehicle and uses identity to bind to that rity. Collectively, these are intended to ensure that the individual certain driving privileges. system operates within the boundaries of the law, does A decision on what vetting data to collect during the not violate people’s rights, and is protected from abuse, mass enrollment requires consultation with the country’s risks, and vulnerabilities, so that it can earn the confi- identity stakeholders. A government may be keen to cap- dence of those who rely on it. ture as much information as possible and to document For simplicity, we have chosen to discuss these safe- everything digitally. Certain government agencies may guards under three separate headings, knowing that argue that, unless specific information is provided, identity these three topics are intertwined. For example, mea- does not achieve its full potential value in their domain. sures that achieve security also enhance privacy and While they see value in its uniqueness and in the UIN as build trust. In addition, this topic should be considered administrative tools, they believe the missing information alongside the sub-section on operational processes and might inhibit their ability to perform KYC from the outset. controls that have to be put in place in order to ensure The ultimate choice will always be a balancing act, operational success of eID, which we discuss in Section where requirements are weighed against cost and the III.5 below. inconvenience factor to the people. The optimal equi- librium point is a national policy that turns the shared i. Trust vision into an ID data model with acceptable standards for identity vetting and affordable technologies in sup- Building trust in the system is an important objective of port of those standards. It can also outline how the any IT program. It is even more so for an infrastructure additional or missing data, desired by other government as critical as a national eID with many different parties sectors, could be collected later in the course of normal relying on it. These parties include: the identified per- business interactions between those agencies and their sons who are providing their data during enrollment clients. The government thus has alternatives to: (a) cap- and use; the partner government agencies that require ture a core set of data early on in its mass enrollment, system access for their KYC and to provide services to some of which is retained by the NIA, while other data their people; and the private entities relying on eID to is stored by and of use to other government agencies; or conduct commerce or to provide services. For an eID (a) capture a minimum set of data early on to be retained program to work well, all parties must be convinced of by the NIA only; other government agencies would thus the integrity of the overall system. Unfortunately, build- capture their own data, during a different timeline and ing trust is challenging, as it takes a significant effort lifecycle, which would be retained in their own electronic to earn, yet it can be lost easily without safeguards. In databases, potentially interlinked by an UIN. addition, trust is not always fact-based; perception at Finally, we should point out that eID systems are times is as much of a factor as reality. often second-generation identity systems introduced to Practically, what does trust mean in a national eID replace legacy ones. An eID program can take advantage program and how is trust built? Table 15 provides a of these legacy databases both for more robust identity summary of some of the more important issues that a proofing (better than scanning paper documents) as program needs to address in order to earn and retain well as for mobilization planning (along with population trust. These come from lessons learned from similar surveys). In Indonesia, these databases were helpful in eID programs around the world. The list is by no means targeting individuals who were sent invitations to come exhaustive, nor is it prescriptive; it is intended to create to specific centers during the enrollment phase of the a starting point for an internal planning dialogue in a e-KTP national identity program. country that could culminate into an identity assurance 36 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Table 15: Requirements for Building Trust in an eID System Trust Element Key Considerations Registration This is a crucial element in the chain of trust. The registration process should ensure that only legitimate identities are Integrity able to enroll. Required Measures: • Assurance of captured data integrity at the enrollment centers and during transmission to prevent alternations, substitutions, or other manipulations. • When using biometrics, controlling captured image quality as measured metrics such as NIST NFIQ for fingerprints or ICAO face image quality 19794–5. If image quality is not kept high, fraud perpetrators could attempt evasion by intentionally providing bad-quality samples, since match accuracy is directly related to quality. • Matching accuracy of ABIS, if used, in the backend system should be high enough that (together with deterrence) it can lead to practically zero duplicate enrollments. Trusted The digital credential as well as the physical proxy should be virtually impossible to fabricate outside the NIA process. Credential Required Measures: • Mature and consistent information security, digital signature, certificate management, and encryption practices that leave no loopholes. • Minimum security requirements for any medium that will carry the credential, such as smartcards or mobile phones. Identity Relying parties need to be assured that the person conducting a transaction is who he claims to be and not someone who Assurance stole a legitimate identity. Required Measures: Strong authentication: multifactor or biometric 1:1 match. Combating Preventing the issuance of true-false identity, where a human operator could issue a genuine document for a false identity Malfeasance due to bribe or coercion. (Human Factors) Required Measures: • Supervised procedures and technology to limit the ability of enrollment agents to fabricate fake enrollment data (often by presenting wrong sequence of fingers, or by mixing and matching fingers from multiple people including their own as they reconstitute the 10-print). • Internal controls at the NIA to ensure that no single operator is capable of surreptitiously modifying or enrolling identity records without supervisor approval. • A higher standard for screening of new hires and ongoing monitoring of agents. Data Protection The public should be assured that their data at the NIR is protected against unauthorized access, including external (hacking), and Security internal (rogue employee), as well as organized mission creep. Required Measures: • Information security measures that emphasize strong data rights management. • Physical security measures to protect data centers. • Identity data segregation. • Enforced internal policy and procedures for access. • Public policy on data use. Trust Model Underlying the eID program, there is technology for trusted communication. This includes enabling authentication for access to online services, digital signature for commitment and non-repudiation, and encryption to secure transmission of transactions. Not only technical measures have to be in place, but also clearly defined responsibilities and liabilities of the authority providing this trust (e.g., CA) should be set in a Legal Act. strategy for the country. For example, in order to pro- be separated from the operational controls that have to mote trust, some countries have granted individuals a be put in place, as discussed in Section III.5. “right to view” all data that is being retained by the gov- Finally, we should remind the reader that the consider- ernment about them. Of course, the topic of trust cannot ations listed in Table 15 are designed to address trust in Developing A Digital Identity Program 37 the system itself and do not address trust in a particular privacy concerns, since it enables the linking of dis- identity. An identity registered and credentialed through parate information about an individual across data- such a system may still pose a threat to a relying party, bases, which a priori are not linked. Linkage deepens even though it may have been registered legitimately. The the insight into an individual, since the sum of data is question of trust in a particular identity requires other more invasive than its individual parts. practices, such as identity intelligence and identity risk assessment, which are outside the scope of this report ◆◆ Digital Audit Trail: Over time, if eID is successful, it and are typically carried out by organizations other than would become pervasive; it would enable a dominant the NIA for specific needs (employment checks, credit number of the population’s daily actions. Such mas- checks, criminal checks, etc.). sive reliance on a unique and traceable ID produces a significant amount of data exhaust in the form of an ii. Privacy audit trail of actions, which can easily accumulate in digital trail databases without the user’s intervention Privacy is the ability of individuals or a group to free or knowledge. These can be mega-sized databases themselves or the information about themselves from and may contain biometric data, personal directory being observed, thereby controlling what information data, locational data, device identifiers, transaction they reveal to others (also referred to as the “right to details and other PII, which are not the direct out- be left alone”). The boundaries and content of what is come of controlled enrollment but a byproduct of considered private differ among cultures, individuals, identity-facilitated use. and nations and are changing with the evolution of the Internet and social media. Nevertheless, privacy con- In addition to the potential for privacy invasion, there cerns are evoked universally by data-centric programs is the perception of loss of control. The consolidation of such as eID, and, if not addressed correctly from the massive amounts of data could be perceived as giving to outset, could jeopardize their success. one entity (government, in our case) an instrument that eID generates sensitive data during enrollment and could be used to control the individual and the popula- when it is used to enable the actions of its holder (audit tion. For example, if a log of eID activities is retained, it trail of transactions). More precisely, eID evokes privacy could evolve into a surveillance program, with significant concerns primarily for the following reasons: risks to eID adoption and to people’s privacy. In order to avoid the potential privacy pitfalls of eID, ◆◆ Enrollment Data: the eID registration process re- suitable protective measures need to be put in place. quires the collection of significant amounts of Some of the options are listed in Table 16. personally identifying information (PII) for vali- To start with, privacy-specific legislation forms the dation and vetting, as previously explained. The foundation of a pro-privacy environment. The legisla- collection of such information by its very nature is tive acts can pertain to specific applications or verticals invasive to privacy. PII includes information that (such as healthcare, financial sector, etc.), or they can be people generally consider private. omnibus and recognize privacy as a right covered in any ◆◆ The Central Database: not only does an eID system context. Often, the act that leads to the creation of the capture PII during enrollment, it consolidates that eID references and supplements such privacy laws. On data into central repositories to guard against dupli- this legal foundation, a government can build a series cative registration and to deliver identity services. of measures, similar to those first articulated by the Having a roster of all individuals in a country in a US Federal Trade Commission (FTC) as far back as in central repository creates significant concerns of 1998, and are collectively referred to as Fair Information security, exploitation, and misuse. Practice Principles (FIPPs). These were the result of the FTC’s inquiry into the way online entities collect and use ◆◆ The UIN: the use of the Unique Identity Number as information and represent general safeguards to assure an administrative tool to manage identity evokes adequate information privacy. Though slightly dated, 38 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Table 16: Building a Pro-Privacy Environment for eID Measure What is Involved Legislation Bodies of privacy laws that impact eID: • Industry-specific laws (for example HIPAA covers privacy of medical information, while GLBA covers financial records in the USA).a • Omnibus privacy laws covering all ID data (identity bill of rights). For example European Commission Data Protection and Privacy Directives 95/46 and 2009/136; Article 8 Charter of Fundamental Rights of EU; Convention 108/81 of the Council of Europe (COE). These types of laws cover privacy of PII no matter what type of data or application is involved. • eID specific Legal Acts: sometimes the acts that authorize the establishment of eID in a country also reiterate or introduce new bodies of legislation that explicitly provide privacy protection to people. Access and Data The protection of identity data and limiting its use, using technical measures: Protection • Data rights access management. • Anti-data retention measures (e.g., retention of audit trail data only for the period required by law for non-repudiation). • Use limitations. Notice • Individuals’ right to have notice regarding the data gathered about themselves and the right to know how and for what purpose it will be used. This may be required by law or it may be a good practice for all eID processes (enrollment, use). • Clear, meaningful, and prominent notice when collecting identifying data (iconic plus information link). Consent/Choice The individual’s right to consent to the collection and use of their personal data. Privacy by Design These include privacy-enhancing technologies and measures such as: • Data minimization and proportionality: capture data in proportion to risk. • Identity data segmentation and segregation: e.g., store identifiers separately from PII. • Do-not-track (DNT). • Right to be forgotten. • Right to view. • Pseudonymous, or anonymous transaction management (Trusted Agents). Privacy Policy Program-specific (eID program-wide), as well as specific applications. Privacy An independent body that reports directly to the legislative body (parliament) and acts as an advocate for privacy Commissioner rights, with powers that include: • Investigate complaints, conduct audits, and publicly report on the privacy practices of public and private sector organizations. • Educate the public regarding privacy. • Pursue legal actions for violations, where supported by law. Enforcement Meaningful legal instruments and mechanisms that provide sanctions for noncompliance. Enforcement is not necessarily limited to the scope of action of the Privacy Commissioner’s Office. HIPAA stands for Health Insurance Portability and Accountability Act of 1996 in the USA, while the GLBA stands for a  Gramm–Leach–Bliley Act, also known as the Financial Services Modernization Act of 1999. these principles embody the four protection principles now encourage the use of what has become known as for privacy in the electronic marketplace, which are Privacy-by-Design. This is an approach of system engi- Access, Notice, Choice, and Security. neering that takes into account, at all steps of the design The first three of the principles are discussed in entries and implementation process, the protection of privacy. 2, 3, and 4 of Table 16. Security is discussed in the next It is not a single measure, but a collection of technol- section. In addition to these principles, best practices ogies and methodologies that fit under the rubric of Developing A Digital Identity Program 39 Privacy- Enhancing Technologies (PET).40 PET continue and the execution of a processing resource or to grow as more attention is being paid to this import- application. ant issue. The examples of practices that we present in Table 16 are by no means exhaustive. ◆◆ Data Integrity: Ensures that information has not Another ingredient that has become important in been altered by unauthorized or unknown means at the privacy dialogue is the privacy policy (PP). This is any point in its journey. not a legal agreement, but an easy-to-understand doc- ◆◆ Data Confidentiality: Protects against unautho- ument that any person can read and that explains in rized disclosure, ensuring that information is kept plain language what an organization that collects PII is secret from all but those authorized to see it. committed to doing to safeguard the information. It is usually the document that Privacy Commissioners start ◆◆ Non-repudiation: Prevents the denial of previous with in examining the privacy practices of a public or commitments or actions, including repudiation of private institution. origin (sender of data denies having sent it) and de- Finally, as a best practice, it is recommended that the livery (receiver of data denies having received it.). eID program incorporate a PIA (privacy impact assess- ment) that can be part of the initial planning as well as It is recommended that a full-scale IT risk and vul- the change management procedures on an ongoing basis. nerability assessment be conducted prior to imple- mentation of the eID solution, as well as on an ongoing iii. Security basis, in order to monitor how the system withstands real-world operational attacks that could undermine At a basic level, an eID program is an information sys- its functionality. tem that is supposed to secure online human interac- tions. As such, in addition to the measures needed to III.5 Operational Processes build trust and respect privacy, as discussed above, the and Controls information system requires sound information secu- rity safeguards that mitigate against the risk of breach Ultimately, an eID system needs to be run as a going and other operational vulnerabilities, spanning areas concern. This means that there must be processes and of legislation, governance, technology, and operational controls in place to avoid the failure of the NIA and control. This is the fourth element in the FIPPs, as men- to ensure the achievement of the following corporate tioned earlier. objectives: From a technology standpoint, there is a body of well-developed best practices that can be followed. A ◆◆ Regulatory compliance: the NIA has to function in pertinent standard is the ISO/IEC 7498-2, which iden- compliance with all applicable laws and regulations, tifies the need to build the following security functions including the act that led to its formation. It has to in any information system, including eID: respect the rights of the people that it serves (privacy, as well as the right of access to service without exclu- ◆◆ Authentication: Applies to both entity authentica- sion or discrimination). This is in order to avoid po- tion and data origin authentication. The first pro- tential regulatory penalties and sanctions, and po- vides checking of a claimed identity at the time of tential loss of goodwill in the eyes of the public. usage, while the second provides verification of the source of data (this does not in itself protect against ◆◆ Protection against man-made operational risk: duplication or modification in data units). both internal (corruption, bribery, and collusion) and ◆◆ Access Control: Provides protection against unau- 40  ee Ronald Hes and John Borking, “Privacy Enhancing Technolo- S thorized use of resources at all levels of the system. gies: The Path to Anonymity,” joint report of the Information and Privacy Commissioner of Ontario, Canada, and the Dutch Data It includes: use of a communication resource, read- Protection Authority, Revised edition 2000, can be downloaded ing, writing, or deletion of an information resource, from http://www.cbpweb.nl/downloads_av/av11.pdf. 40 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA external (data breaches, cybercrimes, terrorism, and The processes and controls necessary for achieving general hacking and disruption of service). These could the above objectives can be grouped into two categories adversely impact the trust in the system, as discussed (i) Corporate and support function controls, and (ii) above, and could cause it reputational damage. Controls related to identity management. A summary of these are given in Table 17 and Table 18, respectively. ◆◆ Continuity of operations: an eID is a mission-criti- It is important to emphasize that the audits referenced cal system. Procedures and measures have to be es- in Table 17 are intended to be over and above any audits tablished to ensure that it can recover and continue that the Independent Auditor may perform on the entire to operate in the event of business disruption (such system pursuant to the requirements established by the as a disaster). cabinet or the parliament, as discussed in Section III.2 ◆◆ Continued relevance: as a going concern, the eID on Institutional Governance. needs to continue to be relevant and to grow its role The controls for the processes of identity management, within society. This requires capturing, on an ongo- shown in Table 18, include procedures applicable to ing basis, the public mind share. each phase of the identity lifecycle: registration, issu- ance, and use, including maintenance or updates. They ◆◆ Efficiency of operations: invariably, the NIA will be are designed to render the system efficient and account- judged by its ability to operate as a successful entity. able, and to protect the system from any form of fraud That means it will have to deliver on financial and or abuse in accordance with the requirements of trust operational performance metrics (e.g., efficiency and in the system, as set out in Table 15 above. customer satisfaction). Table 17: Corporate and Support Function Controls for eID System Category Control Description Operational These involve internal policies and procedures for the operation of the NIA as an autonomous corporate entity: Governance • Information security policies • Privacy policy and notices • Human resources policies • IT governance policy • Business continuity management and disaster recovery • Data retention policies • Communication to and acknowledgement by employees of policies There are a number of sources that provide guidance on this matter, including the ISO/IEC 38500:2008 on standards for corporate governance in IT organizations. In addition, regulatory requirements may have significant operational governance implications and should be consulted. Human Resources Screening of all employees, contractors, and consultants prior to their involvement in the eID program. This may include background checks, criminal history checks, and previous employment and credit checks. In some cases, a formal security clearance may be required for certain sensitive roles. Supplier Vetting Due diligence for suppliers as well as periodic review of performance. This is to ensure that they can actually deliver on contractual commitments and that they have the qualifications and skills necessary for quality of implementation. Change Management Procedures to facilitate the adoption of change within the eID system. Change control procedures should be designed to ensure that changes are appropriately considered, approved by management, and are not disruptive to the operations. Best practice standards are available, such as ISO/IEC 200000 Information Technology Service Management. Developing A Digital Identity Program 41 Table 17: Corporate and Support Function Controls for eID System (Cont’d.) Category Control Description Audit and Rigorous audits for the entire system, which would be conducted on a regular basis both internally and by trusted Compliance independent entities. The goal is to demonstrate the compliance of the eID system with applicable laws and regulations, as well as internal policies, and that it operates effectively as designed and presented to the public. Awareness • Marketing and public education programs to improve public awareness and understanding of the eID and to promote its continued use. • Internal training and awareness for employees to ensure they understand their roles and responsibilities in terms of security and privacy, and all other internal policies. Security and Privacy • Physical access control and security procedures to the eID issuance site to protect against unauthorized use. • Role-based system and logical access controls to prevent system abuse. • Segregation of operational authority to combat malfeasance. • Secure audit logs to enhance investigative power in case of an incident and to provide deterrence. • Privacy controls. Business Resilience Business availability, business continuity, and disaster recovery. Table 18: Controls Related to Identity Management in an eID System Category Control Description Registration • Request for eID application • Collection and scanning of identifying documents • Capturing of data into the eID system • Enrollment of biometric data into profiles • De-duplication of identity • Adjudication of potential matches • Vetting of identity • Confirmation of eID profile creation • eID profile approval • eID profile submission for creation Issuance • Creation of eID • Issuance of a physical credential, where applicable • Activation of the eID • Issuing the eID to the righftul individual Use: • Use of the eID for various authentication functions through identity services Authentication • Identity verification and authorization Use: • Call center for customer care Maintenance • Updates or changes for eID profile • Renewal of an eID • Revocation of an eID 42 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA Iv. Policy Considerations Developing countries face a myriad of pressing chal- useful reference and draw on the detailed account from lenges, from battling poverty and curbing corruption this report: to improving governance and ensuring the efficient delivery of services. eID can serve as a powerful instru- ◆◆ Conduct a diagnostic on the scope of eID in the ment to help tackle these challenges. eID provides a country: Before embarking on a full-fledged program cross-sector platform to accelerate economic and of eID, a government may consider conducting a social development in a developing country, eID is rapid diagnostic on eID to examine the potential and increasingly referred to as a “game changer” or a “pov- readiness of eID in the country. The diagnostic can erty killer,”41 as illustrated by the Use Cases in Section communicate a go or no-go decision to the II.5. government. It may involve reviewing several Though offering transformational benefits, eID also elements, including but not limited to: (a) cultural presents a sizeable undertaking for a developing coun- and political environment; (b) economic and political try’s government, and requires careful planning. Building environment; (c) legal and regulatory environment; an identity program spans several years, is costly, (d) state of civil registry, such as for birth, death, and requires multi-sector coordination, relies on scarce marriages; (e) current identity landscape in the technical skills, and mandates strong provisions for country, for foundational and functional identities; data protection and privacy. Political will and top-level (f ) potential Use Cases of eID for rapid adoption; (g) commitment are thus prerequisites for a successful eID eligibility criteria for participants to enroll in eID, program. Like many electronic government programs, such as for citizens, residents, foreigners, etc.; (h) eID promises huge rewards in return for calculated and capacity of government agencies with potential role managed risks. in identity management; (i) capacity of domestic IT In developing an eID program, a government has a industry as potential partners; and (j) governance number of policy choices to make. These choices require mechanisms for identity. a review of the country’s specific economic, social and ◆◆ Enlist champions and engage stakeholders of political context, and a discourse with the actors in the identity: A successful eID program requires several local identity ecosystem to build a viable eID program. Section III gives a detailed account of these discussions and the decisions to be explored. 41  ee press release “India’s Massive I.D. Program Exemplifies S ‘Science of Delivery,’” at http://www.worldbank.org/en/news/ As governments contemplate a digital identity pro- feature/2013/05/02/India-8217-s-Massive-I-D-Program-Exempli- gram, the following policy considerations serve as a fies-8216-Science-of-Delivery-8217? (last accessed May 10, 2014). Policy Considerations 43 key ingredients: high-level, sustained political com- (at healthcare centers and related institutions), and mitment, champions, and active stakeholders. The instituting compliance, monitoring, enforcement, overarching vision convening stakeholders, partners, and audit systems to ensure the authenticity of the and champions should underscore that: “identity data captured. In the absence of a strong civil registry, concerns all.” The identity ecosystem spans several biometrics offers an attractive technology. Over 1 line ministries, government agencies, regulatory billion people in developing countries reportedly bodies, industry associations, the private sector, and have had their biometrics taken for one or more civil society. To build collaboration across these or- purposes.42 Before opting for biometrics, the ganizations, the government should establish a con- government should perform feasibility studies to sultation strategy that identifies and involves stake- assess the type of biometrics to be used, and whether holders, and defines appropriate roles and any obstacles—technical, cultural, or operational— responsibilities for them. Such a strategy would af- hinder the adoption of this approach. fect identity registration and ensure that eID, when run across multiple programs and government ac- ◆◆ Decide on a credential, if any: Whether a govern- tors, is properly integrated. ment plans to issue a new national identity card to its people or update an existing one, the choice of ◆◆ Establish a supportive legal, regulatory, and credential, if any, is important. The credential authorizing environment: The government needs comes at different price points, from inexpensive to decide early on whether a foundational or simple ID cards or using mobile phones to more ex- functional identity program suits the country’s pensive but sophisticated smartcards. The govern- development needs. (See Section III.1 for a discussion ment also has to decide whether to underwrite the and comparison of the two programs.) Based on the cost of credentials or offer identity free of charge to approach, the government should review and update its people. The country may choose not to offer cre- the existing legislative environment as affected by dentials at all, depending on the type of the eID pro- digital identity, identifying gaps and enacting gram, as demonstrated by India’s Aadhaar appropriate remedial policies and legislations. For a program. foundational identity, legislation is needed to authorize a government agency (such as the NIA), ◆◆ Anchor the eID program in a strong institution, whether existing or new, to serve as the coordinator with provisions for good governance, change for eID in the country. The government needs to set management, sustainable business model, mana- the charter for NIA, and balance the charter with the gerial and technical capacity, data protection, role of other government agencies, for functions of strong operational controls, monitoring and enrollment, national ID card issuance, and identity evaluation (M&E), and long-term operations and services. maintenance (O&M): eID requires a strong oper- ating arm of the government that demonstrates op- ◆◆ Determine enrollment approach for identity— erational efficiency over time and is resilient to through civil registry or biometrics for changes in the political environment. To build a ro- development: The government has broadly two bust institution, the government may consider put- avenues through which to register people: (a) through ting in place specialized commissions that provide a civil registry; or (b) using biometric technology. recommendations to the government on various Many developing countries lack a strong civil registry technical and operational details. These recom- for births and deaths. Revamping and building the mendations may span: the structure of the UIN, the capacity of a civil registry is a sizeable task, and use of biometrics, the digital signature and trust requires digitizing paper records of historic births model, the identity data model, the choice of and deaths, creating applications and processes to electronically capture data of future births and deaths 42 See Gelb and Clark (2013). 44 Digital Identity Toolkit: A GUIDE FOR STAKEHOLDERS IN AFRICA credentials, the data security and privacy underpin- platform for interoperability are necessary condi- nings, the technology strategy, and the approach for tions. The government should give special attention mapping the population for mass enrollment. The to preventing any lock-in due to vendor or technol- business model for the institution should focus on ogy in its technology solution. The procurement of affordability of registration and credentialing to the technology should be based on a competitive and population, while examining potential revenue transparent procurement process, open to interna- streams for sustainability. The technology-centric tional, regional, and local vendors. The technology nature of eID requires extra attention to building strategy should support a healthy marketplace of technical and operational capacities throughout the identity within the country. eID organization: for enrollment, back end, de-du- plication, credential issuance, certification manage- ◆◆ Communicate effectively and provide channels ment, and identity services. The government would for complaint resolution and redress: A digital need to plan and budget for M&E, O&M, and staff identity touches people directly—in the way it training. Financial planning for the eID program prompts people to register, gives them a badge of should be realistic, taking into account the total cost identity, and allows them to use identity in their dai- of ownership, including up-front fixed costs and ly lives. To be effective, an eID program should em- yearly operating costs. ploy a strong communication plan, raising public awareness about eID and educating people about ◆◆ Pursue PPP, where feasible: eID can pose chal- what is expected of them, what changes are brought lenges of technical know-how and investment for a about by eID, and how the government has put in government. The long-term operations of an eID place benefits and protections for people to use eID. program are also susceptible to changes in the polit- The program should address misconceptions and ical environment. The private sector can help bal- concerns about eID among the population and pro- ance the government mandate of a national eID vide a channel—whether in-person, online, or by program with the private sector’s efficiency, exper- phone—through which individuals can file com- tise, and resource mobility. The government could plaints and seek redress when in need. explore a PPP arrangement with the private sector, including but not limited to, using outsourcing, This report has provided a conceptual framework for concession, service-level agreement, build-oper- identity management and a strategic overview of the ate-transfer, or private participation. functional blocks that need to be put in place in order to build a modern electronic identity system. In the ◆◆ Adopt a technology strategy, aiming for cost effi- coming years, the convergence of several factors (such ciency, interoperability, scalability, reliability, as mobility, electronic commerce, hyper-connectivity, and availability: From the outset, the government and social media), which are already under way, is likely should consider a technology solution that is low- to deepen a dependency on digital identification and cost and is scalable to reach national coverage. The to alter societal and legal notions of identity. This will technology architecture should adapt to the specific likely make the subject of eID more important. Today, socioeconomic conditions of the country, leverag- national governments recognize their responsibility to ing existing resources, where possible, and priori- facilitate the development of eID to exploit the oppor- tizing important Use Cases for rapid adoption. In- tunities offered, enhance the security of transactions, ternational standards and an open architecture and improve the delivery of services to people. Policy Considerations 45