The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
Panel discussion on 'How to Avoid Digital ID Systems That Put People at Risk: Lessons from Afghanistan' at Freedom Online Conference
http://editors.cis-india.org/internet-governance/news/panel-discussion-how-to-avoid-digital-id-systems-that-put-people-at-risk
<b>Amber Sinha participated as a panelist in a panel discussion on How to Avoid Digital ID Systems That Put People at Risk: Lessons from Afghanistan at the Freedom Online Conference yesterday.</b>
<p style="text-align: justify; ">The Freedom Online Coalition (FOC) was established in 2011 in response to the growing recognition of the importance of the Internet for the enjoyment of human rights. Periodically, the FOC holds a multistakeholder Conference that aims to deepen the discussion on how online freedoms are helping to promote social, cultural and economic development. The ownership of the Conference program and outputs lies with the host country, most often the Chair of the Coalition during that year.</p>
<p style="text-align: justify; ">The aim of the panel was to use the lessons learned from the Afghanistan case to take a critical and realistic look at the implementation of digital identification programs around the world. A video of the panel can be <a class="external-link" href="https://www.freedomonlineconference.com/session/how-to-avoid-digital-id-systems-that-put-people-at-risk-lessons-from-afghanistan">accessed here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/panel-discussion-how-to-avoid-digital-id-systems-that-put-people-at-risk'>http://editors.cis-india.org/internet-governance/news/panel-discussion-how-to-avoid-digital-id-systems-that-put-people-at-risk</a>
</p>
No publisherpraskrishnaFreedom of Speech and ExpressionDigital IDInternet Governance2021-12-03T14:52:35ZNews ItemDo We Really Need an App for That? Examining the Utility and Privacy Implications of India’s Digital Vaccine Certificates
http://editors.cis-india.org/internet-governance/blog/do-we-really-need-an-app-for-that-examining-the-utility-and-privacy-implications-of-india2019s-digital-vaccine-certificates
<b>We examine the purported benefits of digital vaccine certificates over regular paper-based ones and analyse the privacy implications of their use.</b>
<p><em>This blogpost was edited by Gurshabad Grover, Yesha Tshering Paul, and Amber Sinha.<br />It was originally published on <a href="https://digitalid.design/vaccine-certificates.html">Digital Identities: Design and Uses</a> and is cross-posted here.<br /></em></p>
<p>In an experiment to streamline its COVID-19 immunisation drive, India has adopted a centralised vaccine administration system called CoWIN (or COVID Vaccine Intelligence Network). In addition to facilitating registration for both online and walk-in vaccine appointments, the system also allows for the <a href="https://verify.cowin.gov.in/" target="_blank">digital verification</a> of vaccine certificates, which it issues to people who have received a dose. This development aligns with a global trend, as many countries have adopted or are in the process of adopting “vaccine passports” to facilitate safe movement of people while resuming commercial activity.
<br /><br />Some places, such as the <a href="https://www.schengenvisainfo.com/news/all-your-questions-on-eus-covid-19-vaccine-certificate-answered/" target="_blank">EU</a>, have constrained the scope of use of their vaccine certificates to international travel. The Indian government, however, has so far <a href="https://www.livemint.com/opinion/columns/vaccination-certificates-need-a-framework-to-govern-their-use-11618160385602.html" target="_blank">skirted</a> important questions around where and when this technology should be used. By allowing <a href="https://verify.cowin.gov.in/" target="_blank">anyone</a> to use the online CoWIN portal to scan and verify certificates, and even providing a way for the private-sector to incorporate this functionality into their applications, the government has opened up the possibility of these digital certificates being used, and even mandated, for domestic everyday use such as going to a grocery shop, a crowded venue, or a workplace.
<br /><br />In this blog post, we examine the purported benefits of digital vaccine certificates over regular paper-based ones, analyse the privacy implications of their use, and present recommendations to make them more privacy respecting. We hope that such an analysis can help inform policy on appropriate use of this technology and improve its privacy properties in cases where its use is warranted.
<br /><br />We also note that while this post only examines the merits of a technological solution put out by the government, it is more important to <a href="https://www.accessnow.org/cms/assets/uploads/2021/04/Covid-Vaccine-Passports-Threaten-Human-Rights.pdf" target="_blank">consider</a> the effects that placing restrictions on the movement of unvaccinated people has on their civil liberties in the face of a vaccine rollout that is inequitable along many lines, including <a href="https://thewire.in/gender/women-falling-behind-in-indias-covid-19-vaccination-drive" target="_blank">gender</a>, <a href="https://www.thehindu.com/sci-tech/science/will-25-covid-19-vaccines-for-private-hospitals-aggravate-inequity/article34799098.ece" target="_blank">caste-class</a>, and <a href="https://scroll.in/article/994871/tech-savvy-indians-drive-to-villages-for-covid-19-vaccinations-those-without-smartphones-lose-out" target="_blank">access to technology</a>.</p>
<h4>How do digital vaccine certificates work?</h4>
<p>Every vaccine recipient in the country is required to be registered on the CoWIN platform using one of <a href="https://www.cowin.gov.in/faq" target="_blank">seven</a> existing identity documents. [1] <a name="ref1"></a> Once a vaccine is administered, CoWIN generates a vaccine certificate which the recipient can access on the CoWIN website. The certificate is a single page document that contains the recipient’s personal information — their name, age, gender, identity document details, unique health ID, a reference ID — and some details about the vaccine given.<a name="ref2"></a> [2] It also includes a “secure QR code” and a link to CoWIN’s verification <a href="https://verify.cowin.gov.in/" target="_blank">portal</a>.
<br /><br />The verification portal allows for the verification of a certificate by scanning the attached QR code. Upon completion, the portal displays a success message along with some of the information printed on the certificate.
<br /><br />Verification is done using a cryptographic mechanism known as <a href="https://en.wikipedia.org/wiki/Digital_signature" target="_blank">digital signatures</a>, which are encoded into the QR code attached to a vaccine certificate. This mechanism allows “offline verification”, which means that the CoWIN verification portal or any private sector app attempting to verify a certificate does not need to contact the CoWIN servers to establish its authenticity. It instead uses a “public key” issued by CoWIN beforehand to verify the digital signature attached to the certificate.
<br /><br />The benefit of this convoluted design is that it protects user privacy. Performing verification offline and not contacting the CoWIN servers, precludes CoWIN from gleaning sensitive metadata about usage of the vaccine certificate. This means that CoWIN does not learn about where and when an individual uses their vaccine certificate, and who is verifying it. This closes off a potential avenue for mass surveillance. [3] However, given how certificate revocation checks are being implemented (detailed in the privacy implications section below), CoWIN ends up learning this information anyway.</p>
<h4>Where is digital verification useful?</h4>
<p>The primary argument for the adoption of digital verification of vaccine certificates over visual examination of regular paper-based ones is security. In the face of vaccine hesitancy, there are concerns that people may forge vaccine certificates to get around any restrictions that may be put in place on the movement of unvaccinated people. The use of digital signatures serves to allay these fears.
<br /><br />In its current form, however, digital verification of vaccine certificates is no more secure than visually inspecting paper-based ones. While the “secure QR code” attached to digital certificates can be used to verify the authenticity of the certificate itself, the CoWIN verification portal does not provide any mechanism nor does it instruct verifiers to authenticate the identity of the person presenting the certificate. This means that unless an accompanying identity document is also checked, an individual can simply present someone else’s certificate.
<br /><br />There are no simple solutions to this limitation; adding a requirement to inspect identity documents in addition to digital verification of the vaccine certificate would not be a strong enough security measure to prevent the use of duplicate vaccine certificates. People who are motivated enough to forge a vaccine certificate, can also duplicate one of the seven ID documents which can be used to register on CoWIN, some of which are simple paper-based documents. [4] Requiring even stronger identity checks, such as the use of Aadhaar-based biometrics, would make digital verification of vaccine certificates more secure. However, this would be a wildly disproportionate incursion on user privacy — allowing for the mass collection of metadata like when and where a certificate is used — something that digital vaccine certificates were explicitly designed to prevent. Additionally, in Russia, people were <a href="https://www.washingtonpost.com/world/europe/moscow-fake-vaccine-coronavirus/2021/06/26/0881e1e4-cf98-11eb-a224-bd59bd22197c_story.html" target="_blank">found</a> issuing fake certificates by discarding real vaccine doses instead of administering them. No technological solution can prevent such fraud.
<br /><br />As such, the utility of digital certificates is limited to uses such as international travel, where border control agencies already have strong identity checks in place for travellers. Any everyday usage of the digital verification functionality on vaccine certificates would not present any benefit over visually examining a piece of paper or a screen.</p>
<h4>Privacy implications of digital certificates</h4>
<p>In addition to providing little security utility over manual inspection of certificates, digital certificates also present privacy issues, these are listed below along with recommendations to mitigate them:
<br /><br /><em>(i) The verification portal leaks sensitive metadata to CoWIN’s servers:</em> An analysis of network requests made by the CoWin verification portal reveals that it conducts a ‘revocation check’ each time a certificate is verified. This check was also found in the source <a href="https://github.com/egovernments/DIVOC/blob/e667697b47a50a552b8d0a8c89a950180217b945/interfaces/vaccination-api.yaml#L385" target="_blank">code</a>, which is made openly available<a name="ref5"></a>.
[5]</p>
<p>Revocation checks are an important security consideration while using digital signatures. They allow the issuing authority (CoWIN, in this case) to revoke a certificate in case the account associated with it is lost or stolen, or if a certificate requires correction. However, the way they have been implemented here presents a significant privacy issue. Sending certificate details to the server on every verification attempt allows it to learn about where and when an individual is using their vaccine certificate.
<br /><br />We note that the revocation check performed by the CoWIN portal does not necessarily mean that it is storing this information. Nevertheless, sending certificate information to the server directly contradicts claims of an “offline verification” process, which is the basis of the design of these digital certificates.
<br /><br /><strong>Recommendations:</strong> Implementing privacy-respecting revocation checks such as Certificate Revocation Lists, [6] or Range Queries [7] would mitigate this issue. However, these solutions are either complex or present bandwidth and storage tradeoffs for the verifier.
<br /><br /><em>(ii) Oversharing of personally identifiable information:</em> CoWIN’s vaccine certificates include more personally identifiable information (name, age, gender, identity document details and unique health ID) than is required for the purpose of verifying the certificate. An examination of the vaccine certificates available to us revealed that while the Aadhaar number is appropriately masked, other personal identifiers such as passport number and unique health ID were not masked. Additionally, the inclusion of demographic details, such as age and gender, provides little security benefit by limiting the pool of duplicate certificates that can be used and are not required in light of the security analysis above.
<br /><br /><strong>Recommendation:</strong> Personal identifiers (such as passport number and unique health ID) should be appropriately masked and demographic details (age, gender) can be removed.
<br /><br />The minimal set of data required for identity-linked usage for digital verification, as described above, is a full name and masked ID document details. All other personally identifying information can be removed. In case of paper-based certificates, which is suggested for domestic usage, only the details about vaccine validity would suffice and no personal information is required.
<br /><br /><em>(iii) Making information available digitally increases the likelihood of collection:</em> All of the personal information printed on the certificate is also encoded into the QR code. This is <a href="https://www.bbc.com/news/uk-scotland-57208607" target="_blank">necessary</a> because the digital signature verification process also verifies the integrity of this information (i.e. it wasn’t modified). A side effect of this is that the personal information is made readily available in digital form to verifiers when it is scanned, making it easy for them to store. This is especially likely in private sector apps who may be interested in collecting demographic information and personal identifiers to track customer behaviour.
<br /><br /><strong>Recommendation:</strong> Removing extraneous information from the certificate, as suggested above, mitigates this risk as well.</p>
<h4>Conclusion</h4>
<p>Our analysis reveals that without incorporating strong, privacy-invasive identity checks, digital verification of vaccine certificates does not provide any security benefit over manually inspecting a piece of paper. The utility of digital verification is limited to purposes that already conduct strong identity checks.
<br /><br />In addition to their limited applicability, in their current form, these digital certificates also generate a trail of data and metadata, giving both government and industry an opportunity to infringe upon the privacy of the individuals using them.
<br /><br />Keeping this in mind, the adoption of this technology should be discouraged for everyday use.</p>
<p> </p>
<h4>References</h4>
<p>[1] Exceptions <a href="https://web.archive.org/web/20210511045921/https://www.mohfw.gov.in/pdf/SOPforCOVID19VaccinationofPersonswithoutPrescribedIdentityCards.pdf" target="_blank">exist</a> for people without state-issued identity documents.</p>
<p>[2] This information was gathered by inspecting three vaccine certificates linked to the author’s CoWIN account, which they were authorised to view, and may not be fully accurate.</p>
<p>[3] This design is similar to Aadhaar’s “<a href="https://resident.uidai.gov.in/offline-kyc" target="_blank">offline KYC</a>” process.</p>
<p>[4] “Aadhaar Card: UIDAI says downloaded versions on ordinary paper, mAadhaar perfectly valid”, <em>Zee Business</em>, April 29 2019, <em>https://www.zeebiz.com/india/news-aadhaar-card-uidai-says-downloaded-versions-on-ordinary-paper-maadhaar-perfectly-valid-96790</em>.</p>
<p>[5] This check was also verified to be present in the reference <a href="https://github.com/egovernments/DIVOC/blob/261a61093b89990fe34698f9ba17367d4cb74c34/public_app/src/components/CertificateStatus/index.js#L125" target="_blank">code</a> made available for private-sector applications incorporating this functionality, suggesting that private sector apps will also be affected by this.</p>
<p>[6] <a href="https://en.wikipedia.org/wiki/Certificate_revocation_list" target="_blank">Certificate Revocation Lists</a> allow the server to provide a list of revoked certificates to the verifier, instead of the verifier querying the server each time. This, however, can place heavy bandwidth and storage requirements on the verifying app as this list can potentially grow long.</p>
<p>[7] Range Queries are described in this <a href="https://www.ics.uci.edu/~gts/paps/st06.pdf" target="_blank">paper</a>. In this method, the verifier requests revocation status from the server by specifying a range of certificate identifiers within which the certificate being verified lies. If there are any revoked certificates within this range, the server will send their identifiers to the verifier, who can then check if the certificate in question is on the list. For this to work, the range selected must be sufficiently large to include enough potential candidates to keep the server from guessing which one is in use.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/do-we-really-need-an-app-for-that-examining-the-utility-and-privacy-implications-of-india2019s-digital-vaccine-certificates'>http://editors.cis-india.org/internet-governance/blog/do-we-really-need-an-app-for-that-examining-the-utility-and-privacy-implications-of-india2019s-digital-vaccine-certificates</a>
</p>
No publisherdivyankPrivacyDigital IDCovid19Appropriate Use of Digital ID2021-08-03T05:13:28ZBlog EntrySocial Entitlements for the Transgender Community
http://editors.cis-india.org/internet-governance/blog/social-entitlements-for-the-transgender-community
<b>This report has been authored by Deepa Krishnappa and Tasneem Mewa, and edited by Ambika Tandon, Gurshabad Grover and Rajesh Srinivas. </b>
<p dir="ltr"> </p>
<p dir="ltr">This report is part one of a two-part series studying the
impact of data systems and digital technology on the lives of sexual
minorities and sex workers. This project has been jointly conducted by
CIS and <a class="external-link" href="http://sangama.org/">Sangama</a>.</p>
<p dir="ltr"> </p>
<p dir="ltr"><strong>Abstract</strong></p>
<p dir="ltr"><span id="docs-internal-guid-768a639b-7fff-a71e-f8c2-92c04854b07e">This
report discusses access to social entitlements and sex reassignment
surgery (SRS) among the transgender community in Kolar, Karnataka. We
discuss the barriers to accessing gender-affirmative documentation,
which in turn poses challenges to welfare entitlements and public
healthcare. The data collection for the report was undertaken by union
leaders affiliated with Sangama in the months of June to August 2018.
The report seeks to demonstrate both the resilience of and
discrimination against transgender peoples by individuals (family and
friends) and access to health, legal, and social services. We conclude
that the inability to exercise one’s rights is demonstrative of
circuitous and exclusionary social systems. </span></p>
<p dir="ltr"> </p>
<p dir="ltr"><strong>The full report can be accessed <a class="external-link" href="https://cis-india.org/internet-governance/Social_Entitlements_Transgender_Karnataka">here</a>.</strong></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/social-entitlements-for-the-transgender-community'>http://editors.cis-india.org/internet-governance/blog/social-entitlements-for-the-transgender-community</a>
</p>
No publisherDeepa Krishnappa and Tasneem MewaGenderDigital IDData Systems2020-07-14T06:27:44ZBlog EntryGoverning ID: Kenya’s Huduma Namba Programme
http://editors.cis-india.org/internet-governance/blog/governing-id-kenya2019s-huduma-namba-programme
<b></b>
<p>In our fourth case-study, we use our Evaluation Framework for Digital ID to examine the use of Digital ID in Kenya.</p>
<p>Read the <a class="external-link" href="https://digitalid.design/evaluation-framework-case-studies/kenya.html">case-study</a> or download as <a href="http://editors.cis-india.org/internet-governance/digital-id-kenya-case-study" class="internal-link" title="Digital ID Kenya Case Study">PDF</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/governing-id-kenya2019s-huduma-namba-programme'>http://editors.cis-india.org/internet-governance/blog/governing-id-kenya2019s-huduma-namba-programme</a>
</p>
No publisheramberinternet governanceInternet GovernanceDigital IDDigital Identity2020-03-02T13:19:15ZBlog EntryGoverning ID: Use of Digital ID in the Healthcare Sector
http://editors.cis-india.org/internet-governance/blog/governing-id-use-of-digital-id-in-the-healthcare-sector
<b></b>
<p>In our third case-study, we use our Evaluation Framework for Digital ID to examine the use of Digital ID in the healthcare sector.</p>
<p><img src="https://cis-india.org/internet-governance/image-digital-id-healthcare-case-study/" alt="null" width="100%" /></p>
<p>Read the <a class="external-link" href="https://digitalid.design/evaluation-framework-case-studies/healthcare.html">case-study</a> or download as <a href="http://editors.cis-india.org/internet-governance/digital-id-healthcare-case-study" class="internal-link" title="Digital ID Healthcare Case Study">PDF</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/governing-id-use-of-digital-id-in-the-healthcare-sector'>http://editors.cis-india.org/internet-governance/blog/governing-id-use-of-digital-id-in-the-healthcare-sector</a>
</p>
No publisherShruti Trikanadinternet governanceInternet GovernanceDigital IDDigital Identity2020-03-02T13:21:22ZBlog EntryGoverning ID: India’s Unique Identity Programme
http://editors.cis-india.org/internet-governance/governing-id-india2019s-unique-identity-programme
<b></b>
<div class="content">
<p>In our second case-study, we use our Evaluation Framework for Digital ID to assess India’s Unique Identity Programme.</p>
<p>Read the <a class="external-link" href="https://digitalid.design/evaluation-framework-case-studies/india.html">case-study</a> or download as <a href="http://editors.cis-india.org/internet-governance/digital-id-india-case-study" class="internal-link" title="Digital ID India Case Study">PDF</a>.</p>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/governing-id-india2019s-unique-identity-programme'>http://editors.cis-india.org/internet-governance/governing-id-india2019s-unique-identity-programme</a>
</p>
No publisherVrinda Bhandariinternet governanceInternet GovernanceDigital IDDigital Identity2020-03-02T11:38:51ZBlog EntryGoverning ID: Use of Digital ID for Verification
http://editors.cis-india.org/internet-governance/blog/governing-id-2028use-of-digital-id-for-verification
<b></b>
<p>This is the first in a series of case studies, using our recently-published <a href="https://digitalid.design/evaluation-framework-02.html">Evaluation Framework for Digital ID</a>. It looks at the use of digital identity programmes for the purpose of verification, often using the process of deduplication.</p>
<p><img src="https://cis-india.org/internet-governance/image-governing-id-use-of-digital-id-for-verification/" alt="null" width="100%" /></p>
Read the <a class="external-link" href="https://digitalid.design/evaluation-framework-case-studies/verification.html">case-study</a> or download as <a href="http://editors.cis-india.org/internet-governance/use-of-digital-id-for-verification" class="internal-link" title="Use of Digital ID for Verification">PDF.</a>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/governing-id-2028use-of-digital-id-for-verification'>http://editors.cis-india.org/internet-governance/blog/governing-id-2028use-of-digital-id-for-verification</a>
</p>
No publisherShruti Trikanadinternet governanceInternet GovernanceDigital IDDigital Identity2020-03-02T11:16:19ZBlog EntryGoverning ID: A Framework for Evaluation of Digital Identity
http://editors.cis-india.org/internet-governance/blog/governing-id-a-framework-for-evaluation-of-digital-identity
<b></b>
<p>As governments across the globe implement new and foundational
digital identification systems (Digital ID), or modernize existing ID
programs, there is an urgent need for more research and discussion about
appropriate uses of Digital ID systems. This significant momentum for
creating Digital ID has been accompanied with concerns about privacy,
surveillance and exclusion harms of state-issued Digital IDs in several
parts of the world, resulting in campaigns and litigations in countries,
such as UK, India, Kenya, and Jamaica. Given the sweeping range of
considerations required to evaluate Digital ID projects, it is necessary
to formulate evaluation frameworks that can be used for this purpose.</p>
<p>This work began with the question of what the appropriate uses
of Digital ID can be, but through the research process, it became clear
that the question of use cannot be divorced from the fundamental
attributes of Digital ID systems and their governance structures. This
framework provides tests, which can be used to evaluate the governance
of Digital ID across jurisdictions, as well as determine whether a
particular use of Digital ID is legitimate. Through three kinds of
checks — Rule of Law tests, Rights based tests, and Risks based tests —
this scheme is a ready guide for evaluation of Digital ID.</p>
<p><img src="https://cis-india.org/internet-governance/image-governing-id-principles-for-evalution/" alt="null" width="100%" /></p>
<p> </p>
<p>View the <a class="external-link" href="https://digitalid.design/evaluation-framework-02.html">framework</a> or download as <a href="http://editors.cis-india.org/internet-governance/governing-id-principles-for-evalution" class="internal-link" title="Governing ID: Principles for Evalution">PDF</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/governing-id-a-framework-for-evaluation-of-digital-identity'>http://editors.cis-india.org/internet-governance/blog/governing-id-a-framework-for-evaluation-of-digital-identity</a>
</p>
No publisherVrinda Bhandari, Shruti Trikanad, and Amber Sinhainternet governanceInternet GovernanceDigital IDDigital Identity2020-03-02T13:22:43ZBlog EntryGoverning ID: Introducing our Evaluation Framework
http://editors.cis-india.org/internet-governance/blog/governing-id-introducing-our-evaluation-framework
<b></b>
<div class="content">
<p>With the rise of national digital identity systems (Digital ID) across the world, there is a growing need to examine their impact on human rights. In several instances, national Digital ID programmes started with a specific scope of use, but have since been deployed for different applications, and in different sectors. This raises the question of how to determine appropriate and inappropriate uses of Digital ID. In April 2019, our research began with this question, but it quickly became clear that a determination of the legitimacy of uses hinged on the fundamental attributes and governing structure of the Digital ID system itself. Our evaluation framework is intended as a series of questions against which Digital ID may be tested. We hope that these questions will inform the trade-offs that must be made while building and assessing identity programmes, to ensure that human rights are adequately protected.</p>
<h4>Rule of Law Tests</h4>
<p>Foundational Digital ID must only be implemented along with a
legitimate regulatory framework that governs all aspects of Digital ID,
including its aims and purposes, the actors who have access to it, etc.
In the absence of this framework, there is nothing that precludes
Digital IDs from being leveraged by public and private actors for
purposes outside the intended scope of the programme. Our rule of law
principles mandate that the governing law should be enacted by the
legislature, be devoid of excessive delegation, be clear and accessible
to the public, and be precise and limiting in its scope for discretion.
These principles are substantiated by the criticism that the Kenyan
Digital ID, the Huduma Namba, was met with when it was legalized through
a Miscellaneous Amendment Act, meant only for small or negligible
amendments and typically passed without any deliberation. These set of
tests respond to the haste with which Digital ID has been implemented,
often in the absence of an enabling law which adequately addresses its
potential harms.</p>
<h4>Rights based Tests</h4>
<p>Digital ID, because of its collection of personal data and
determination of eligibility and rights of users, intrinsically involves
restrictions on certain fundamental rights. The use of Digital ID for
essential functions of the State, including delivery of benefits and
welfare, and maintenance of civil and sectoral records, enhance the
impact of these restrictions. Accordingly, the entire identity
framework, including its architecture, uses, actors, and regulators,
must be evaluated at every stage against the rights it is potentially
violating. Only then will we be able to determine if such violation is
necessary and proportionate to the benefits it offers. In Jamaica, the
National Identification and Registration Act, which mandated citizens’
biometric enrolment at the risk of criminal sanctions, was held to be a
disproportionate violation of privacy, and therefore unconstitutional.</p>
<h4>Risk based Tests</h4>
<p>Even with a valid rule of law framework that seeks to protect
rights, the design and use of Digital ID must be based on an analysis of
the risks that the system introduces. This could take the form of
choosing between a centralized and federated data-storage framework,
based on the effects of potential failure or breach, or of restricting
the uses of the Digital ID to limit the actors that will benefit from
breaching it. Aside from the design of the system, the regulatory
framework that governs it should also be tailored to the potential risks
of its use. The primary rationale behind a risk assessment for an
identity framework is that it should be tested not merely against
universal metrics of legality and proportionality, but also against an
examination of the risks and harms it poses. Implicit in a risk based
assessment is also the requirement of implementing a responsive
mitigation strategy to the risks identified, both while creating and
governing the identity programme.</p>
<p>Digital ID programmes create an inherent power imbalance
between the State and its residents because of the personal data they
collect and the consequent determination of significant rights,
potentially creating risks of surveillance, exclusion, and
discrimination. The accountability and efficiency gains they promise
must not lead to hasty or inadequate implementation.</p>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/governing-id-introducing-our-evaluation-framework'>http://editors.cis-india.org/internet-governance/blog/governing-id-introducing-our-evaluation-framework</a>
</p>
No publisherShruti Trikanadinternet governanceInternet GovernanceDigital IDDigital Identity2020-03-02T08:03:49ZBlog EntryCore Concepts and Processes
http://editors.cis-india.org/internet-governance/digital-identity/shruti-trikanand-and-amber-sinha-september-13-2019-core-concepts-processes
<b>When we embarked on this research project, we began with the primary questions of what constitutes a digital identity system. In the last few years, with the rise in national digital identity projects, there has been significant academic and media attention to the idea, benefits and risks of a digital identity system.</b>
<p style="text-align: justify; ">However, there have been relatively few attempts to critically look at what makes an identity system digital, and what are its defining elements and characteristics. Through a preliminary study of existing identity systems, we have arrived at these core set of concepts and processes that mark a digital identity system. In arriving at this list, we have relied upon and referred to the works by <a href="http://www.chyp.com/wp-content/uploads/2016/07/Digital-Identity-Issue-Analysis-Report.pdf" target="_blank">Dave Birch et al</a>, <a href="http://documents.worldbank.org/curated/en/248371559325561562/pdf/ID4D-Practitioner-Guide-Draft-for-Consultation.pdf" target="_blank">World Bank’s ID4D initiative</a>, <a href="https://www.semanticscholar.org/paper/Becoming-Artifacts-Medieval-Seals%2C-Passports-and-of-Chango/42cf3a5a5a2db067327298e7d8c540c9691171d2" target="_blank">Mawaki Chango</a>, <a href="https://identitywoman.net/domains-of-identity/" target="_blank">Kaliya Young</a> and <a href="https://medium.com/@kezike/the-evolution-of-digital-identity-6c13aca128c0" target="_blank">Kayode Ezike</a>.</p>
<p class="indent" style="text-align: justify; ">By publishing this, we hope to arrive at a shared vocabulary to discuss and critically analyse digital identity systems, both within our team and in engagements with other stakeholders. This illustrated and interactive glossary can serve as an easy reference for anyone seeking an introduction to the core aspects of digital identity. Even though this is essentially a list of definitions with examples, it does not follow an alphabetical order like most glossaries, but the logical flow of concepts as they build upon each other in a working identity system. We have paid special emphasis to the core processes of <a href="https://digitalid.design/core-concepts-processes.html#identification-diagram">Identification</a> and <a href="https://digitalid.design/core-concepts-processes.html#authentication-diagram">Authentication</a>, elucidating them through diagrams.</p>
<p class="indent"><a class="external-link" href="https://digitalid.design/core-concepts-processes.html">Click to read more</a></p>
<hr />
<p>Credentials:</p>
<ul>
<li> Research by Shruti Trikanad and Amber Sinha </li>
<li> Conceptualization by Pooja Saxena and Amber Sinha </li>
<li>Illustrations by Akash Sheshadri and Pooja Saxena</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/digital-identity/shruti-trikanand-and-amber-sinha-september-13-2019-core-concepts-processes'>http://editors.cis-india.org/internet-governance/digital-identity/shruti-trikanand-and-amber-sinha-september-13-2019-core-concepts-processes</a>
</p>
No publisherShruti Trikanand and Amber SinhaInternet GovernanceDigital IDDigital Identity2019-10-17T16:06:54ZBlog EntryDesign and Uses of Digital Identities - Research Plan
http://editors.cis-india.org/internet-governance/blog/digtial-identities-research-plan
<b>In our research project about uses and design of digital identity systems, we ask two core questions: a) What are appropriate uses of ID?, and b) How should we think about the technological design of ID? Towards the first research question, we have worked on first principles and will further develop definitions, legal tests and applications of these principles. Towards the second research question, we have first identified a set of existing and planned digital identity systems that represent a paradigm of how such a system can be envisioned and implemented, and will look to identify key design choices which are causing divergence in paradigm.</b>
<h4>Read the research plan <a class="external-link" href="https://digitalid.design/research-plan.html">here</a>.</h4>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/digtial-identities-research-plan'>http://editors.cis-india.org/internet-governance/blog/digtial-identities-research-plan</a>
</p>
No publisherAmber Sinha and Pooja SaxenaDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-17T07:58:44ZBlog EntryHolding ID Issuers Accountable, What Works?
http://editors.cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works
<b></b>
<p>Together with the <a class="external-link" href="https://itsrio.org/pt/home/">Institute of Technology & Society</a> (ITS), Brazil, and the <a class="external-link" href="https://www.cipit.org/">Centre for Intellectual Property and Information Technology Law</a> (CIPIT), Kenya, CIS participated at a side event in <a class="external-link" href="https://www.rightscon.org/">RightsCon 2019</a> held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the <a class="external-link" href="https://www.omidyar.com/">Omidyar Network</a>. The event was attended by researchers and advocates from nearly 20 countries. Read the event report <a class="external-link" href="https://digitalid.design/rightscon-2019-report.html">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works'>http://editors.cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works</a>
</p>
No publisherShruti Trikanad and Amber SinhaDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-08T10:23:58ZBlog EntryThe Appropriate Use of Digital Identity
http://editors.cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity
<b></b>
<p>As governments across the globe implement new, foundational, digital identification systems (“Digital ID”), or modernize existing ID programs, there is dire need for greater research and discussion about appropriate uses of Digital ID systems. This significant momentum for creating Digital ID in several parts of the world has been accompanied with concerns about the privacy and exclusion harms of a state issued Digital ID system, resulting in campaigns and litigations in countries such as UK, India, Kenya, and Jamaica. Given the very large range of considerations required to evaluate Digital ID projects, it is necessary to think of evaluation frameworks that can be used for this purpose.</p>
<p>At RightsCon 2019 in Tunis, we presented <a class="external-link" href="http://bit.ly/CISDigitalIDAppropriateUse">working drafts</a> on appropriate use of Digital ID by the partner organisations of this <a class="external-link" href="https://www.omidyar.com/blog/appropriate-use-digital-identity-why-we-invested-three-region-research%C2%A0alliance">three-region research alliance</a> - ITS from Brazil, CIPIT from Kenya, and CIS from India.</p>
<p>In the <a class="external-link" href="https://digitalid.design/evaluation-framework-01.html">draft by CIS</a>, we propose a set of principles against which Digital ID may be evaluated. We hope that these draft principles can evolve into a set of best practices that can be used by policymakers when they create and implement Digital ID systems, provide guidance to civil society examinations of Digital ID and highlight questions for further research on the subject. We have drawn from approaches used in documents such as the necessary and proportionate principles, the OECD privacy guidelines and scholarship on harms based approach.</p>
<p>Read and comment on CIS’s Draft framework <a class="external-link" href="https://digitalid.design/evaluation-framework-01.html">here</a>.</p>
<p>Download Working drafts by CIPIT, CIS, and ITS <a class="external-link" href="http://bit.ly/CISDigitalIDAppropriateUse">here</a>.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity'>http://editors.cis-india.org/internet-governance/blog/the-appropriate-use-of-digital-identity</a>
</p>
No publisheramberDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-08T10:24:40ZBlog EntryComments to the ID4D Practitioners’ Guide
http://editors.cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide
<b></b>
<p>This post presents our comments to the ID4D Practitioners’ Guide: Draft For Consultation released by ID4D in June, 2019. CIS has conducted research on issues related to digital identity since 2012. This submission is divided into three main parts. The first part (General Comments) contains the high-level comments on the Practitioners’ Guide, while the second part (Specific Comments) addresses individual sections in the Guide. The third and final part (Additional Comments) does not relate to particulars in the Practitioners' Guide but other documents that it relies upon. We submitted these comments to ID4D on August 5, 2019. Read our comments <a class="external-link" href="https://digitalid.design/comments-ID4D-practitioners-guide.html">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide'>http://editors.cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide</a>
</p>
No publisherYesha Tshering Paul, Prakriti Singh, and Amber SinhaDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-08T10:25:13ZBlog EntryDigital ID Forum 2019
http://editors.cis-india.org/internet-governance/news/digital-id-forum-2019
<b>Sunil Abraham was one of the panelists at this event at Chulalongkorn University on July 3, 2019.</b>
<p><img src="http://editors.cis-india.org/home-images/DigitalID.png" alt="Digital ID" class="image-inline" title="Digital ID" /></p>
<p><span>Click to </span><a class="external-link" href="http://cis-india.org/internet-governance/files/digital-id-forum">view the agenda</a><span>. Also see </span><a class="external-link" href="https://en.wikipedia.org/wiki/Asia_Source">Wikipedia page</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/digital-id-forum-2019'>http://editors.cis-india.org/internet-governance/news/digital-id-forum-2019</a>
</p>
No publisherAdminDigital IDPrivacyInternet GovernanceAppropriate Use of Digital IDDigital Identity2019-08-07T14:09:16ZNews Item