Semlex Group’s Albert Karaziwan on global challenges shaping identity policies

Governments around the world are shifting their attention to identifying policies and how they could be a solution to curtail a variety of complex global security challenges. These challenges include global migration, terrorism, crime, fraud, and the need to modernise public services which reduces the cost of accessing services. For instance, India is currently developing a policy to issue a unique identification number for every resident, which will be supported by biometric authentication, for its massive population of over one billion citizens. This will help to regulate access to government services.

Several governments estimate that it costs between $10 and $20 to verify an individual's identity when accessing a service. However, digital verification can be done much more cost-effectively, ranging from $0.40 to $2.00 per attempt. Several policies to digitise services have already been implemented in various countries, including RealMe in New Zealand, and GOV.UK Verify in the UK, Aadhaar in India, ID-card in Estonia, and separate systems BankID in Sweden and Norway. Similarly, countries like Greece, Pakistan, South Africa, and Spain requires mobile phone providers to link "prepay" mobile phones to an identification document as a way to combat terrorism. The UNHCR is also testing the use of fingerprint biometrics to manage refugee populations, while Rwanda has recently announced that all refugees will be issued identity cards.

Identity service provider Semlex Group says that identity policies are now an integral part of policy-making in almost every country in the world but that many years ago would have been considered unrealistic because of a lack of policy reformation and identity technologies.

Identity policy has become a contentious issue for governments, as demonstrated by the experiences of Australia and the UK. The ‘Australia Card’ was an attempt to digitize identity in 1986. Following increasing public concern about the scheme's implications, which the opposition claimed were privacy issues, security concerns, and the need for unreasonable funding, the Australia Card Bill was defeated in the Senate in November 1986.

Identity policy requires large financial budgets and also poses technological risks but how do policymakers overcome these challenges? Do they see this type of policymaking as an opportunity to introduce new technologies that can improve how a government manages its citizen data, or are they simply leveraging new technology to fulfil an agenda without fully considering the risks?

Identity policies and the challenge of implementation

Policymakers may be experienced in proposing policies and developing strategies for a better nation which can include an identity policy, however, they may not have a deep technical understanding of complex issues related to specific projects or industries. For example, if a policy is being developed for the use of facial recognition technology in law enforcement, the policymakers may not have the technical expertise to fully understand how the technology works or the potential implications of its use.

For example, in March 2020, Abu Dhabi police upgraded their patrol cars with a live biometric facial recognition system. It is also used for border checks. But this could pose privacy concerns and data security risks that may be a challenge to solve, as well as technical risks such as network speed, availability of system support, and cultural considerations, associated with the implementation of such policies.

This is why it is important to have a full technical understanding as a lack of technical understanding can lead to policies that are not well-suited for the specific context or industry. Without a clear understanding of the technical details, it can be difficult to anticipate the potential challenges and unintended consequences that may arise when implementing the policy.

Furthermore, even if the policy is well-designed, the success of its implementation may depend on the technical details of the project. If the policy requires the use of specific technology or infrastructure, it's essential to have a clear understanding of how these components work together to achieve the desired outcome. Without this understanding, the policy may not be implemented effectively, which can lead to a failure to achieve the policy's objectives.

For example, when it comes to identity policies, only technical experts can know that their success is determined by the fundamental methods of how individual identities are enrolled and verified.

Karaziwan said: “Policymakers must understand these complexities, and work with many government departments and technical experts to make decisions such as how and where to store identity information and whether a centralized database is the best solution to manage that data, as it may offer benefits but also raises the risk of data breaches. decisions made in the process of implementing a policy can have unintended consequences, such as creating an underclass or delegating legitimacy decisions to authorities not equipped to handle them.”

Identification and authentication in the modern world

Policymakers should always focus on being authentication-centric. When policymakers focus only on identification, it can lead to overly complex systems that are not effective in protecting against unauthorized access. This is because identification alone does not provide any assurance of the validity of the information being presented. It only confirms that the individual is presenting some form of information.

Authentication provides a more complete approach to identity verification by requiring the individual to prove their identity through the use of a password, biometric data, or other authentication factors. This provides a higher level of assurance that the individual is who they claim to be. In addition, authentication-based policies can be more flexible in accommodating different user needs and preferences. For example, users may prefer different methods of authentication, such as biometric authentication, smart cards, or one-time passwords.

Karaziwan says: “By implementing policies that focus on authentication, organizations can offer users a variety of options while still maintaining a high level of security”

It's also important to note that authentication processes should not be viewed as a one-time event. Rather, they should be ongoing and adaptive, with systems continuously evaluating the risk associated with each access attempt and adjusting the authentication requirements accordingly.

Biometrics, enrolment and verification for performance

Credentials can be linked to individuals through a form of unique identification, such as their biometrics. Biometrics include measurements of the body, such as fingerprints, iris scans, or facial images, which are matched into computational templates for comparison. However, every biometric system has a measurable error rate and failure-to-acquire rate, and performance can be affected by factors like lighting and ageing. Organizations should consider these risks, characteristics of the population, and cost-effectiveness. This includes factors like whether biometric matching is necessary, the performance offered by a particular biometric, and the expenditure required to implement it.

Identity credentials are directly linked to enrolment and verification. Enrolment is the process by which an individual is brought within the identity ecosystem by a process that gathers accurate information which is then issued ‘the credential’. The process of registering individuals into a system usually involves the collection of personal information and the creation of a record from the individual’s biographical footprint, their biometric footprint or both.

Verification, on the other hand, is the process of confirming the accuracy and validity of information or the credential during enrollment or at any point in time. This may involve cross-checking information with external sources, such as identity documents or reference checks, or using biometric technologies to verify identity. Verification helps ensure that the information provided is genuine and reliable and helps prevent fraud or errors in the system.

Using different biometric technologies for enrolment and verification can affect the performance and speed of verifying information. It requires investment in readers that are fast and have secure communication links.

Ensuring unique citizen and foreign national data

Governments need to be able to know who their citizens are so that they may exercise their rights and have access to their services. They use biometric data to create a unique identifier for each citizen, which is then used to link various government services and entitlements to that individual. For example, biometric data can be used to create national identity cards, driver's licenses, and passports, which are all commonly used to prove a citizen's official identity.

The use of biometric data can help ensure that entitlements are distributed accurately and efficiently. By linking biometric data to a citizen's entitlements, governments can verify that the person receiving the benefit or service is the rightful recipient. This can help prevent fraud and abuse and ensure that resources are directed to those who need them most.

For example, in many countries, social welfare programmes require recipients to provide proof of identity and eligibility. By using biometric data to establish a citizen's identity and eligibility, governments can reduce the likelihood of fraud and ensure that resources are directed to those who are truly in need. This can also extend to foreign nationals, authentication within the ecosystem is very important for transparency and security. For example, checking if an individual has applied for a visa in the past and using biometrics to manage immigration, and giving them their rights during their stay.

However, the use of biometric data also raises concerns about privacy and security. Governments must safeguards and protect citizens' privacy and prevent the misuse of biometric data.

Karaziwan asserts: “The use of biometric data can help governments to accurately and efficiently distribute entitlements and services to citizens. However, governments need to balance the benefits of using biometric data with the need to protect citizens' privacy and rights”

Future technologies for identity policies

Governments worldwide are facing new challenges with globalization, leading to a convergence in drivers for identity policy change especially to safeguard identity fraud and minimise the amount of data disclosed in authentication transactions. In many solutions, identity credentials often disclose more personal data than necessary due to serving multiple purposes, such as displaying data on the face of the document.

Technologies like cryptography can be useful in the authentication processes. Cryptography plays a critical role in protecting identity credentials, particularly in digital environments. Identity credentials, such as passwords, PINs, and biometric data, are sensitive pieces of information that are used to authenticate individuals and grant access to secure systems and data. If these credentials are compromised, it can lead to unauthorized access, data breaches, and other forms of cybercrime.

Karaziwan adds: "Cryptography provides a means of protecting identity credentials by encrypting them, making it difficult for unauthorized individuals to access them even if they are intercepted. Cryptography uses mathematical algorithms to transform plain text information into an encoded form that can only be deciphered by those who have the necessary key or code. This can be used to protect identity credentials as they are transmitted over networks, stored in databases, or used to authenticate users.”

The sum of all policies

Developing effective identity policies is crucial to achieving a policymaker's objectives. Technological factors play a large role in shaping these policies, and policymakers need to be informed and educated on the implications and risks of the technologies involved. Several companies in the private sector can assist policymakers to develop reliable authentication processes. By making knowledgeable decisions and partnering with experts, policymakers can develop effective identity policies that benefit society and prioritises its citizens. The government's role should be to act as a custodian of citizen data, ensuring its security, integrity, and the inviolable rights of citizens to control their data.

Le Figaro is journalist at lefigaro.app

• KT Network