Countries that intend to upgrade their identification systems today find themselves drawn into a complex vortex.
Being able to authenticate and identify individuals has become critical in today’s world and biometrics is often seen as the silver bullet to accomplish this task. However, biometrics is not the ultimate solution to identity, especially at the national and international level. At the same time, it is also one way in which different identity databases and systems can be accurately tested for duplication and fraud.
There is a global move to create or update identification systems on a national scale, according to set standards, which will (ideally) create a reliable identity mechanism for every individual on the planet that can potentially be used in numerous scenarios, with security and authenticity being the foundation of them all.
Sanjay Dharwadker has contributed to many Hi-Tech Security Solutions publications on the topic of identity and biometrics over the years. In this issue we summarise a paper he presented at Jesus College, Cambridge in March 2019, titled ‘Border Crossing and National Identification’, in which he expands on the above. A link to the full presentation is at the end of the article.
Introduction
Many countries today have multiple, frequently overlapping identification systems. Often these belong to different arms of the same government and were set up at various points in time to meet diverse objectives.
Significant among them are the system to register and aggregate statistics about vital events such as birth, death, and marriage, also known as civil registration and vital statistics (CRVS). While there are older historical references, CRVS in its modern form has been around for over a century – since 1853 in the UK and since 1902 in the US. Today, every country has a CRVS system, but one in every four persons worldwide still does not have their birth registered. Statistics for deaths are even more sparse.
On the other hand, there are more modern national (civil) identification systems that also capture an individual’s biometrics. But often such systems do not include other traits of an identity, such as date and place of birth and names of parents. Such information is often critical to determine an individual’s entitlements and rights and their relationship to the state. However, biometrics can ensure that it is the same individual (verification or authentication) and through a more elaborate use of matching a biometric against all others in a system (identification), provide conclusive evidence that an individual is unique and not registered twice, under different names for example.
While biometrics is the key feature of a civil identification system, corroboration is central to civil registration; for example, a notification by a health worker and a declaration by parents, verified by a registrar.
There are also functional subsets of individuals in a country, such as those found on electoral rolls, tax payers, and those who receive state subsidies and pensions. Often, the three – civil registration, civil identification and a functional sub-system – need to work together. For example, civil registration might establish the entitlement to stand for elections and vote (by being a citizen by birth, for example), while civil identification might establish (by using biometrics) that it is indeed the same person.
During the last few decades there has been a diversification in the modes of biometrics being deployed, from fingerprints to face and iris as well as signatures, gait, voice, and somewhat of a final frontier, the use of deoxyribonucleic acid (DNA) that not only identifies a person but also links to parentage, ancestry, and even ethnicity and race.
Also important to the development of identification systems has been the evolution of identification cards – from paper to plastic and from eDocuments with embedded chips (smartcards and ePassports) to entirely digital identity records.
The identity game changer
There has been considerable debate about all this recently, especially since 2015 with the formulation of the United Nations (UN) Sustainable Development Goals (SDGs). Among the seventeen goals and its one hundred and sixty-nine constituent targets is UN SDG 16.9, which states, “By 2030, provide legal identity for all, including birth registration.” This is considered integral to goal 16, which states, “Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels.”
Target 16.9, while setting a clear direction, has also generated many apprehensions. Although birth registration is legally endorsed in 196 countries, as stated earlier the records are far from complete and despite the current policy focus, access to funds, and expertise, progress is dismal. Also, there is no universally accepted definition of legal identity and finally, how are we to catch up with 100% birth registration in just over a decade? Like immunisation, which has plateaued out at about 85%, has birth registration completeness too reached an empirical upper limit?
Legal frameworks for identification
On the other hand, significant investments are being made all over the world and brand-new identification systems continue to be commissioned. A case in point is the Aadhaar system in India that has enrolled over 1,2 billion people and is currently being used for thousands of payment and welfare applications. Every day, the system verifies over 35 million transactions and authenticates 24 million biometrics. Using empirical yardsticks, the Aadhaar system is a significant success, but on using a diversity of normative benchmarks, not everyone agrees.
Biometric failure for the old and infirm, for example, has been an especially glaring cause of concern on its promise of universal inclusion. The individual constituents that can enrol for Aadhaar, ironically, fall in between conventional classifications – it neither consists of all persons born in the territories of India, nor its citizens, nor its nationals, but temporally defined ‘residents’; that is, those who have continuously resided in the country for over 182 days. Why this works in the Indian context is the subject of another discussion.
Many countries have updated their civil registration laws to bring them in line with the UNCRC. This is a human rights treaty which sets out the civil, political, economic, social, health and cultural rights of children, and specifically provides for registration at birth and having a name, parentage, and nationality recorded, as stipulated under its articles 7 and 8. However, not all countries have entirely superseded older practices such as the family book which continue to have legal or quasi-legal status. Also, such laws and traditions are read along with judgements passed by various courts on the subject that make both interpretations and exceptions.
The legal frameworks for civil identification systems seem to originate in at least three different ways. The first is where an existing law (population registration, for example) is amended and every individual on the register is deemed entitled to an electronic record with biometrics. The second is a de novo statute like in India – the Aadhaar (targeted delivery of financial and other subsidies, benefits, and services) Act, 2016. The third is where a country already has the equivalent of an electronic transaction or information technology act, and an amendment is made for applicability to the national population register, that might be stipulated in another act.
A predominant feature of national (civil) identification systems is that they originated in the era of information and communication technology (ICT) and therefore also work to transform paper-based registers to electronic identification records – something that also made the deployment of large-scale biometrics possible. Therefore, parts of the legal changes today have been necessary to keep up with the technological change brought about by such deployment.
In some cases, even though the legal position has changed substantially, amendments have only been brought about one step at a time through administrative changes, via orders passed at the bureaucratic level and made public in the National Gazette or equivalent of a country.
Birth registration, for example, provides rudimentary data that is necessary (though not sufficient) for legal identity like date and place of birth (jus soli) and parentage (jus sanguinis). It may also be required for determining entitlements. Thus, while birth registration might be referenced for tasks that could affect an individual decisively, these are few and far between during the lifetime of a person. However, civil identification (verification using biometrics) could be deployed multiple times every month: for payments, pensions, rations, and so on. Usage, too, impacts the legal and technological nature of the systems.
However, there are limits to which such identification systems can be deployed and the first such limit is quite literally the national border, beyond which travel documents like the passport come into play.
Travel documents and identification
What used to be commonly called a passport is more correctly referred to now as a ‘Machine-Readable Travel Document’ (MRTD). There were two reasons for this very characteristic change. It was stipulated that after 24 November 2015, handwritten passports would no longer be accepted as a travel document. Instead, they had to be printed using high-security printers and one of the new features would be the machine-readable zone (MRZ), from where a scanner could automatically pick up relevant information for processing by a computer, for example at an airline check-in or immigration counter.
Incidentally, the standard selected for the MRZ was not a usual barcode, but a string of characters and numerals separated by chevrons (<). The text printing on a passport is also highly standardised in terms of font, size, and spacing, and constitutes the visual inspection zone (VIZ). Part of the VIZ is also a photograph of the passport holder.
A more advanced version (issued by over one hundred and five countries) is the electronic passport (ePassport) that has an embedded contactless electronic chip. This chip not only carries the text information of the VIZ but also the photograph which is stored in such a way that it can be used for automatic facial recognition. The data stored on the chip consists of a mandatory minimum set and provides space for optional storage. There is even space for yet unimagined future use. An option is already provided for storing a scanned image of a birth certificate (ICAO Doc 9303 part 10 – LDS or Logical Data Structure).
The current versions of the passport chip are designed for one-time data that is written, stored, and then locked on the chip. However, a new version of the standard provides for the first time that a part of the chip memory can be dynamically updated and is likely to be first used, among others, for electronic recording of entry and exit at each border. There are many more details of the new emerging standards that require a lengthy discussion, including the use of multiple biometrics.
The travel visa
Superimposed on the primary travel document, the MRTD, is a secondary travel document, the travel visa. This standardised sticker pasted on a passport page is stipulated as a specific requirement, usually between countries. An MRTD is universal; on its front page, every country includes a statement to request unhindered travel across international borders. However, the travel visa often qualifies this by imposing additional conditionalities and restraints.
Currently (except for a field structure specification in the LDS) there is no standard for an electronic version of a travel visa. However, countries have innovated by introducing services like ‘Visa On Arrival’ as well as electronic travel authorisation. Travel visas belong to the realm of national legislation as well as regional arrangements like the Schengen across European countries. The travel visa in its current form originated around the same time as the passport; that is, just after World War I, around 1920.
Advance Passenger Information
The twenty-first century has seen yet other travel conditionalities being imposed; key among them is Advance Passenger Information (API). Introduced soon after 9/11 as a counter-terrorism measure, its legal moorings rest on a United Nations Security Council (UNSC) resolution that resulted out of its 4385th meeting on 28 September 2001. As per official records, the meeting lasted barely five minutes (convoked 21:55 and adjourned 22:00) and thus gives little indication about the discussions and considerations that went into this announcement.
API allows countries to create watchlists and refer to a central international database hosted by Interpol with its headquarters at Lyon, France. The UNSC resolution prima facie allows a destination country to effectively prevent a passenger from boarding a flight and entering its territory. Among the databases is that of stolen and lost travel documents (SLTD) which currently contains nearly 60 million entries.
Like API, which is initiated when a passenger checks into a flight, a framework has also been envisaged for the passenger name record (PNR) which has a much longer trail, starting with the purchase of a ticket as well as any other related transactions that might include car hire and hotel reservation, and therefore has a wider footprint of an individual identity.
Over four billion passengers embark on a flight annually. While many flights might be made by the same individual, it represents the fact that an astonishing half of the world’s population can be moved annually around the globe, if required.
More than a billion people in about 105 countries hold various generations of electronic passports (eMRTDs) worldwide that enables them to travel across national borders. As described earlier, the eMRTD is a robust document that has become increasingly difficult to fake or copy. With this, the once thriving industry of counterfeit travel documents has been reduced to a trickle, and the focus has shifted to persons assuming false identities to obtain genuine travel documents. This has exposed obvious weaknesses in how MRTDs are linked to national identification systems. The authorities have had to shift their attention to evidence of identity (EoI), and this brings the MRTD’s relation to breeder documents and national identity documents into sharp focus.
In practical terms this means that at the time of an MRTD application (especially the first time), a more thorough examination is made of breeder documents such as the birth certificate. However, this poses challenges such as establishing authenticity, which often falls back on the process of attestation, or the passport issuing authority needing to consult the birth registration authority. If the birth certificate is issued by an indirect authority such as a school principal, this leads to further difficulties. It has been stressed that death records also be checked before issuing an MRTD to ensure that a dead person’s identity is not stolen for the purpose.
To overcome such limitations, passport issuing authorities have put other supporting and reinforcing processes in place, such as checking the individual’s social footprint: the trace of an individual’s existence that can be pieced together by looking at, for example, educational records, employment records, addresses, utility bills, and bank statements. Every state could devise its own methodology for the purpose. This is another example of an empirical process supporting a normative one.
Digital identity and overdependence on encryption
Another topic where national and international identification converge is digital identity. The World Bank’s identification for development programme (ID4D) and inter alia other UN bodies recommend a digital identification framework. Similarly, MRTD standards bodies are already discussing a digital travel credential (DTC). There are parallel discussions at the various ISO bodies for other identification documents such as mobile driver’s licences. The standardisation extends to technologies, devices, electronics, and software. Finally, a cross-functional standards body on ‘virtual identity’ has recently been initiated.
Technical standardisation is often done in isolation, with little attention to its impact on the associated legal framework (and vice versa). It is assumed that good technological innovation will find a place in the legal world too. So often, the actual harmonisation between the two is through an ad hoc patchwork of amendments, ordinances, and gazette orders. These often sit on top of acts that were formulated many decades ago, or even borrowed from the colonial era.
Conversely, there is also patchwork implementation of changes on technical standards to accommodate an existing legal framework. However, recent work on the DTC has involved two simultaneously constituted committees, one for policy and one technical, that work in tandem. One of the first issues to have engaged the two in lively discussion is how a DTC may originate (from the MRTD?), who can issue it (the original issuer?), and who could store, transmit and use the digital record. Such detailed discussion is yet to pick up momentum for civil (national) identification systems and even more so for civil registration.
While nothing might change immediately (moving from hand-written passports to MRTDs took twenty years), constant evolution is expected as the function of API increasingly overlaps with that of the DTC and the electronic visa that of API. Despite each of them taking on entirely new forms, they are likely to continue serving their existing functions well into the foreseeable future.
There is no doubt that going digital involves significant (if not overdue) dependence on encryption and decryption (via deployment of public and private keys, for example). Supposed solutions such as the blockchain, too, heavily depend on encryption. In general, principles of encryption have remained the same over many decades (most of the work on RSA was published by 1977). However, its implementation parameters, such as the key length, have had to keep pace with faster computing capacities, which still continue to double every few years. The first of the new-generation, hyper-fast and hyper-capacity computers that use quantum computing are already in use. It has been expected that this technology would make current encryption practices obsolete. However, recent research has been more optimistic, and encryption is likely to endure well into the future. At the same time, break-ins are disturbingly frequent, not only by insiders and rogue entities, but via systematic state interference as well.
The broader identity situation
The broader identity situation for an individual in daily life is diverse. It covers governments, institutions, companies, associations, clubs, and social media, among others. Looking at just the government requirements, it could require considerable effort to conclusively establish how these could be made compatible with one another.
Let us take the example of biometrics. Are the biometrics of a civil identification system and an MRTD compatible? If the modes are different, fingerprint and face for example, compatibility would not even be feasible. Even if the mode is the same, the biometrics might still be incompatible due to a variety of reasons, both technical and commercial.
Equally important, it might happen that a country’s legal framework does not provide for biometrics under one system but allows for them under another. This is legal incompatibility. There could also be operational, organisational, and administrative incompatibilities.
Similar considerations apply for the biographic details of a person. These are currently the centre of much debate, also in part due to the dynamics unleashed by current political trends in some parts of the world.
Current problems in biographics
In some sense, biographics is a loose term applied to the textual details pertaining to an individual identity. It might include names (surnames/family names, first names, middle names, aliases and variations) as well as allied details such as sex, date of birth, place of birth, and in many cases, address.
MRTDs need to cater to the diverse name and surname conventions across ICAO’s 192 member states and hence to a somewhat generic data structure. However, individual member states might have their own, more specific data structures and even regional variations. These do not automatically map onto one another and thus require manual intervention. This problem has been especially compounded by the advent of the API system, which compares names in MRTDs against names in watchlists. Many cases where the system failed to apprehend likely suspects can be attributed to name mismatch. An institutional mechanism is likely to be set up soon to address this issue.
Linking various identification systems
There are obvious advantages to maintaining a link among identification records pertaining to the same individual in the various systems. While it is a topic of another discussion, it does not seem a good idea to fuse all the identification databases together, simply for the practical difficulties it might cause: among those born in the country are residents, nationals, eligible to vote, etc. The primary difficulty here is how the multiple ownership of such issues can be managed in a coherent manner.
In the realm of technology, two approaches – hierarchical and network-based – can help resolve the conflict. It is important to understand how these approaches might work and what impact these would have on the arrangement of the various identification systems with respect to one another.
Privacy is another issue that tends to hold back the linking of diverse identification systems on the grounds that it prevents or at least inhibits the power that such systems could impart to a surveillance state or a totalitarian state.
Yet another aspect is the dichotomy between legal and physical identity. Further, legal identity itself needs to address two separate notions, that of the natural person and the legal person.
As all these aspects are so central to the identification narrative, it is important to revisit the reasons why they are there in the first place. It also helps assess whether the mutual impact of the various identification systems is fundamental in nature or only incidental, and inter alia whether each system can resolve issues without causing an irretrievable conflict or breakdown in another.
Conclusion
To conclude, it seems useful to look at the national as well as international context of identity together as one single continuum. No doubt, the multiple systems (civil registration, identification, and MRTDs) will need to coexist in a composite model due to their mutually exclusive nature, akin to dimensions of space and time. However, this might have both foreseen and unexpected consequences.
The move towards digital identity makes more systems look like one another or capable of offering each other’s functionality, as shown in the example of the DTC, eVisa, and API. Thus, more systems will tend to collapse and fuse into one another. However, this poses other problems, two of which are extremely important: privacy and ownership. Some paradoxical situations might arise, like the same data being private in one system (civil identification) and public in another (electoral roll).
Not everyone will be virtuous in using identity and identification data. Not only the state, but even the markets provide extreme examples such as racial profiling (through using family names, address, etc.) for real estate sales strategies. The importance of this example is that this calls for regulation in the use of identification data and not the data itself.
Finally, it is meaningful to examine the original objective that we set out with. An individual is extremely vulnerable before the powers of the state and the corporation. Every process tends to create further asymmetry of information. Where does the individual stand then, and how can identity and identification systems support her/him?
The plethora of systems that an individual encounters throughout their life needs to be confronted together and not in isolation. Unfortunately, today there is no mechanism that enables this. National and international stakeholders have virtually no interoperability on the subject. Power is always at play in the constitution of ‘who we are’ and unless there is proactive action on this front, this constitutive ability that needs to be deployed to create a more equitable interdependence will not lead to the imagined greater autonomy for the individual.
As shown by the advent of API, all such constructive initiatives can be thwarted, and the individual placed at the vagaries of a poorly performing algorithm that could impact their national identification record of a lifetime.
A first step in the right direction is to look at all this together, preclude hierarchy and tolerate diversity, because a person’s best chance is in manifesting their inner and outer self effectively, and in as many ways as possible.
The full text of this presentation, as well as the 29 footnotes and references, can be found at www.securitysa.com/*sanjay1 (redirects to https://sanjaydharwadker.org/2019/03/27/border-crossing-and-national-identification/)
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version