IMANI Report: Don’t Mess Up the National ID System
As the government plans to ensure a reliable unified ID system and as the National Identification Authority staggers for the third time in rolling out the system, I reproduce below advice IMANI gave to the previous government on how not to mess up the national ID system. We hope the new National Identification Authority is guided by this report.
IMANI Report: Don’t Mess Up the National ID System
IMANI was pleased to be invited by the World Bank and Citi FM, conveners of the National Identity System Roundtable on the 4th of February 2016, to deliver a paper on the ‘risks and opportunities’ inherent in the implementation of a national ID system in Ghana.
The conveners must have been aware of IMANI’s near-decade fascination with this subject. But the prompting for the roundtable could have come from the recent agitation over the national electoral register, which all political parties and the Electoral Commission in Ghana agree contains ineligible entries that affects its quality, even if there is a dispute about the extent of the impact of these ineligible entries. There is a strong belief that a well-functioning national ID system can help address the quality issues, whatever their extent and impact, affecting the national voters roll.
Our paper consolidated the views of scholars and specialists around the world and in Ghana who have studied national ID systems from multiple perspectives. In doing so, participants from IMANI had to examine two issues that most stakeholders appeared most worried about.
Firstly, there is the issue of the wastefulness of multiple agencies developing end-to-end ID systems, drawing funds from the public chest to finance them, and in the process replicating the work of their counterpart agencies in the public sector whilst breeding registration fatigue among citizens. The clarion call appears to favour ‘harmonisation’ of the various ID card schemes into a centralized, national, ID Database.
Secondly, many stakeholders are unconvinced about the quality of the identity data backing the existing identity documents in Ghana today. There is the belief that a brand new ID system will address the shortcomings of existing identity systems by taking a fresh approach.
In the course of the deliberations, it became clear that the National ID Card project is very much alive. However, the Founding Director of the Authority set up in 2003 to see to its implementation believes that the country had wasted nearly a decade and half due to vested interests and probable corruption. Further inquiry is warranted to get to the bottom of the delays and false starts.
IMANI’s presentation was in three parts: Risks, Opportunities and New Thinking (or recommendations).
The opportunities presented by an integrated, secure, National ID Database and Card issuing system are easy to list:
I. A relatively higher quality electoral register and the means to bring us closer to an electronic voting system.
II. A superior credit rating system that can transform the financial industry by minimizing risk and the costs of lending, thus expanding the availability of well-priced capital to businesses.
III. A harmonized national ID system will cut down severely on the costs of the current regime of multiple agencies spending millions of dollars on maintaining separate systems. By some estimates this could be as high as $400 million in avoided spending over the coming few years.
IV. According to the Statistical Service, a well-functioning national ID system will greatly improve the quality of the statistics they collect for policy planning purposes.
V. Proper identification management should make it easier to introduce modern addressing systems, which coupled with effective financial intelligence tools can all contribute to widening the tax net and reducing tax evasion, with massive, positive, macroeconomic benefits for the country.
VI. In an era of heightened anxiety about terrorism and the activities of irregular migrants (some of whom have been implicated in vice cartels promoting illegal mining, human trafficking, and gambling rings), an effective national ID system is an urgent requirement for national and human security.
VII. Most discussants concurred with experts in the room that many promising internet business models, such as e-commerce and subscription software, cannot fully take off in the present time due to serious problems with identity management.
VIII. The ease with which people are able to maintain multiple, fake, identities facilitate all manner of crimes, including corruption, money laundering, and impersonation, all of which practices contribute to the undermining of our national institutions and the general quality of governance.
There was universal consent among the gathering that reforming and revamping citizen identity management policy in Ghana was a top development policy priority that the State has so far failed to accord the necessary attention.
IMANI’s presentation then moved on to assess how these same opportunities, if viewed naively and without careful analysis and study, could easily metamorphose into risks that can exacerbate the very problems a harmonized/integrated, centralized, national ID card system is meant to address.
I. Firstly, there is the issue of the appalling lack of transparency surrounding the entire national ID card project. There has been very limited public, civil society, and research community education about this critical program. No official, definitive, periodic reports have been issued by the National Identification Authority (NIA) to update the public and observers on where the country is, and is going, as far as this program is concerned. The lack of public education and the murky speculation it has spawned give credence to fears, as the founding Director of the NIA himself pointed out, that national interest is being sacrificed for the parochial, economic, interests of a few actors involved in the program.
II. For reasons we shall explain later, it is dangerous for the NIA to have been set up in the way that Act 707 has specified. The President can literally do what he wants with it. He appoints all members, and has only to observe the quota of one representative from certain named institutions. Through his Minister, he can issue any directive based on his understanding of ‘public interest’ and more or less tele-operate the entire national ID system from his bedroom. There is virtually no autonomy from executive interference for the NIA.
III. It can be argued that the regulator of the NIA, in its functions as an operational agency, is the Data Protection Commission (DPC). As a data controller, the NIA is expected to comply with certain statutes, the enforcement, or at least monitoring, of which is entrusted to the DPC. Unfortunately, the act that sets up the DPC (Act 843) is even more loosely drafted (particularly section 5) than the one that set up the NIA. All members of the DPC serve at the leisure of the President, who can fire at will. There is zero autonomy for the institution, though for reasons that we shall explain shortly, its role and mandate is as sensitive as any of the other, better protected, constitutional bodies, such as the Commission for Human Rights and Administrative Justice (CHRAJ). Whilst it is true that not all Article 70 office holders require the same level of autonomy to discharge their constitutional duties properly, we strongly hold that the NIA and DPC count among those that require the highest level of freedom from the Executive.
IV. Why do we say that the NIA and DPC require adequate autonomy to do their work properly? It is because the National Identity Register (which apparently already contains biodata of 15 million Ghanaians, according to the Chief Executive Officer of the private partner of the NIA in the project, a Ghanaian-Danish company known as Identity Management Service - IMS) when active and in full operation would be one of the most powerful systems of citizen control ever seen in this country.
The law under subsections 38(1)(B) and 4(2)(d) of the National Identity Register Act (NIRA – Act 750) grant the Minister in charge the power to add information about individual citizens based on his view of public interest. Under 44(A), such information may include, among other categories, criminal, employment, educational and health data. Effectively, a full and evolving profile of persons who are of interest to the regime can be stored there and released to any agencies that the Minister or the NIA Head determines.
Though subsequent disclosure of this data by these agencies requires the personal consent of the individual on whom the data is held, there are several loose exceptions in section 49 of the Act that enables that disclosure to be done in secret, without prior notification to the data subject. And the NIA can refuse citizens access to data held on them based on similar loose exceptions.
Citizens may go to the DPC for recourse if they believe the NIA is acting unethically or illegally, but the law only grants them the right for their contestation to be added alongside their biodata and nothing more. The DPC is not empowered to investigate the basis of the NIA’s refusal to show the data to the individual or correct wrongly entered data, nor to mediate between the parties. Though in the NIRA Act, there are provisions for appeal to CHRAJ in specific instances, no procedures are outlined, and CHRAJ is granted no powers to mediate either. In fact, only the courts (the Court of Appeal in the case of a refusal of the NIA to register an individual for an ID card) can provide any serious relief. But as most of us would agree, the cost of accessing Ghanaian courts, in the absence of a functioning legal aid scheme, is prohibitive for most citizens.
V. There are no provisions in the law, nor have any guidelines been provided, for an effective logging system to track access and distribution of data held on individuals, especially in ways that can facilitate surveillance. Whenever a user presents their NIA Card (the proposed ‘Ghana Card’) and same is authenticated, a trail is left of the User’s activities across the country. This is one of the key reasons why in many advanced countries, privacy activists oppose attempts to make National ID Cards mandatory. The lack of this tradition of activism in Ghana means that the cards are indeed mandatory. If certain services become tied to the card then it also means that one cannot evade the surveillance that can be enabled by the card.
There are however precedents from other common law jurisdictions that such requirements for mandatory card registration by citizens can be overturned in the Courts. The Indian Supreme Court has already issued three orders compelling the Indian Identity Authority to treat that country’s National ID cards (the ‘Aadhar’) as voluntary. The reasoning is that if a citizen has another means of proving their citizenship (such as a passport or birth certificate) then they cannot be compelled to carry a particular card to access any privilege due them as a citizen. This logic may be reinforced by the fact that the law actually makes other identity documents the basis for one to show eligibility to receive the National ID Card. So on what basis can one be denied services for preferring the existing documents to the National ID Card? And if one cannot be denied services for not possessing the card, then what does ‘mandatory’ mean?
All the discussions in the preceding assume that the law will be obeyed by the NIA. We have argued that the law, as it stands now, leaves room for abuse. But the fact is that the NIA has already proven itself capable of twisting and even outright breaking the law if its ambitions are impeded by it. In a bid to raise revenue it announced a policy
“to register all permanently resident foreign nationals and those who will be in the country for at least 90 cumulative days in any given year.”
The problem is that the law that set up the NIA explicitly stated that the registration should cover Ghanaians and PERMANENT RESIDENTS. Somehow, by the time the NIRA Act was passed, the eligibility had been expanded to cover those with a Resident Permit for at least one year (despite the same Act defining a Resident Permit as authorization to remain in Ghana for a substantial length of time not exceeding 4 years). But be that as it may, how did the NIA unilaterally manage to create policy to grant provision of the card to even those in the country for just 91 days?
VI. In addition to the legal and regulatory challenges above, it is important to consider the experience of other countries that have existing electronic citizen identity registers or have been working on introducing harmonized national ID Cards. Last year, Israel published the results of its pilot of a national ID card. Nearly 20% of cards were found to be inoperable at critical points in time, and more than 400,000 failed biometric readings were recorded. Considering that only 91000 people took part in the scheme, this is worrying. We also have the experience of the last elections in Ghana and Kenya where a much simpler process of biometric verification failed in several polling stations.
While it is true that the technical partners of the project have committed to submit the process to ISO certification and other reviews, the truth is that there is no evidence that this has been done to date. ISO certification shall obviously not be sufficient for such a mission-critical system. To recognize the sensitivity of the system, EAL7 certification should be implemented to fortify against technical risks.
Policy and human-behavioral risks are of course harder to safeguard against. In the relatively advanced setting of the US, police databases are routinely abused. In one crazy situation in Delaware, the Town Manager of Newport was arrested for providing gamblers with access to highly confidential data on citizens to assist the crooks target vulnerable victims. There are also reports from Michigan of US federal agents and others using data from police databases to stalk women, among other such abuses.
If we fail to implement the appropriate controls, a harmonized national database that stores a wide range of information on subjects shall become available to anyone with the resources to corrupt security agencies and others with access to the citizen records. Ruling parties will deploy the systems to stalk and blackmail dissenters and activists. And powerful individuals will implant false and pernicious data on others whose lives they seek to destroy.
VII. How the mechanism for pre-emptive discovery of abuse and error is set up will determine the success or failure of this whole process. A proper independent Information Ombudsman role is required at the very top of the DPC to ensure that the system is subjected to rigorous routine, and unannounced, checks. Such tests in the US revealed in 1999 that the FBI Database was randomly assigning criminal records to 5.5% of civil servants checked. In the UK, researchers have established that in 20% to 30% of instances the Police National Computer issues a false positive or negative or other inverted result. Partnering with the Research Community in Ghana and abroad should ensure that these regular exercises contribute to the effectiveness of the register and its sound use.
VIII. Just as Ghana has had an integrated Payroll Management System (IPPD) for more than two decades now (we are currently on the third version since 1995) and yet the problem of ghost names continues to bedevil the country, with Auditor General report after report showing the wanton dissipation of billions (yes, billions) of dollars over the same period due to fraudulent entries, simply ‘harmonising ID Card systems’ won’t guarantee sound performance.
The ‘mechanised and integrated’ IPPD-3 notwithstanding, we still, for instance, continue to suffer the spectacle of nurses, teachers, and other such important social workers sometimes going unpaid for more than a year. Clearly, insofar as a ‘harmonised’ ID card system will simply be harmonizing the existing bureaucratic structures, many of which continue to show dysfunctional characteristics (the Birth & Deaths Register today records only 40% of deaths and 60% of births), we cannot just assume that ‘harmonisation’ without careful, and widely scrutinized and implemented, policies shall lead to automatic benefits for this country. It is important to note that the maximum number of people the IPPD needs to manage is about 3% of what the Harmonised National Identity Database would be expected to manage, a mere fraction per se.
C. New Thinking or Way Forward
Since the decision was taken to utilize a PPP approach to implementing the National ID Database, and IMS was selected to play the role of technical and strategic partner, the NIA has failed to present to the country any clear updates regarding the status of the project, the financial planning arrangements, and the consolidated technical specifications of the system. Considering that the foreigner registration program could only achieve a penetration of 10%, and the inability of the PPP to conclude the mass registration program to achieve the 80% coverage rate anticipated, it is important that a detailed policy document be released to show clearly what the current state of the initiative is, and whether the arrangement can still be referred to as a PPP when government is reported to be raising funds for deployment.
II. Legal, Administrative & Regulatory Reform
The three main statutes governing the operations of the national identity management system – Acts 707, 750 and 843 – need overhauling to reduce the system’s total dependence on the executive branch of Government, and to change the current situation where the system appears designed as a personal plaything of the President and his favourite appointees.
III. Value for Money
As is our habit in this country, we have focused primarily on the setup and capital costs of the system, with scant regard for the maintenance and operations. It is important that the system not become dependent on executive charity for its functioning, as so many underperforming institutions, such as CHRAJ and the NCCE have become. For this to happen, the benchmark for running costs should be rigorously set.
India is currently operating the world’s largest national identity register at the cost of about 25 US cents per person per annum. A reasonable amount in Ghana should be 50 cents per annum. That will mean a roughly $10 million annual budget at 80% population penetration. Licensing of the authentication engine to the private sector and offering big data applications to researchers on anonymized data should be sufficient for the NIA then to cover this cost without expecting much by way of government subvention. For the authentication engine to be robust in both satisfying the data analysis needs of the private sector, whilst preserving the privacy and security of individuals, chip and PIN mechanisms and distributed architectures are a must. Reports suggest that the 2.7 million cards printed to date do not have embedded chip.
IMS has presented dummy cards that purport to show that the cards to be used in the upcoming pilots will have encrypted chips. How will citizens set up their PINs then? What kind of authentication engine design is being put in place to prevent malicious writing to and outright forgery of cards? What will be the validation system for the cards at various agencies and checkpoints? The original idea of simply setting up dumb terminals at various agencies and entrusting point/focal persons with passwords is completely unsuitable for the kind of intelligent distribution architecture required to achieve both centralized authentication and devolved storage of information, which in turn are needed in order not to enable agencies with no need to know certain things about private citizens getting their hands on citizens’ confidential information.
IV. Whilst any mechanism that can halt unnecessary duplication is to be strongly welcome, it is important not to mistake this to mean a central database with a potpourri of information about every Ghanaian accessible at the click of a button by any Police Superintendent. We strongly propose that the most basic data of citizens and their biometric data should be centralized, but not other data related to sensitive aspects of citizens’ life, such as health, educational, employment, revenue & tax, geolocation, travel history, marital, etc. What is needed is an authentication engine to enable other agencies to access and verify topline biodata and biometric information, which is the most security-intensive and costly part of managing modern ID systems. This should massively reduce the cost of managing personal data on citizens by multiple agencies without creating a ‘deep surveillance’ or ‘big brother’ situation.
IMANI hopes that by this report, it has done its part to help launch a critical national debate on the all-important issue of national identification, and that those in charge of the decision-making shall now be compelled to engage with the public, civil society, and the research community in addressing the gaps and risks identified.
This report is issued under open license by the IMANI Center for Policy & Education. Citations, extracts and republication are encouraged provided due credit is given. References and bibliography can be obtained by writing to IMANI.