Business

Why not a digital ID for all Sri Lankans?

In Sri Lanka, the prospect of each citizen having a unique digital identity card has raised some debate on certain aspects of such a card. It is not the intention of the authors of this article to examine the merits or demerits of the different opinions on this issue. Rather, it is our intention to explore and shed light on the use of a digital national identity card (NIC) in other nations. As with any other device, such cards must not be abused, but their usage should be of benefit to individuals, the public, and the country.

•Globally, 3.6 billion people are estimated to carry a NIC by 2021

•Many of the latest national NIC initiatives have been introduced or started (including cards and/or mobile platforms). For example, Afghanistan, Denmark, the Netherlands, Bulgaria, Cameroon, Jordan, Kyrgyzstan, Italy, Iran, Japan, Senegal, Sri Lanka, Bulgaria, the Maldives, Norway, Poland, Zambia, and a pilot programme in Myanmar are also being developed

•Banks have used the NIC as the safest way of accessing and demanding government credit for online services. The card is also the gateway to the bank’s website authentication

•Lawyers can now access the government portal via their national NIC via the online service provided by the Justice Ministry and digitally sign and upload legal proceedings

Sri Lankan authorities recently, once again, began moving to implement the Unique Digital Identity Card Project, which would provide central access to the information on every citizen through a magnetic strip or QR Code on a new unique digital identity card. This was to be expected, given the chaotic lack of current information that greatly hampered the anti-Covid effort over the past several months. The advent of Covid has brought forward a project that had earlier been mooted.

History of digital identity cards in Sri Lanka

The digitisation of citizens’ information was first looked at as far back in the 1990s, with the white-coloured driving licenses including a magnetic strip at significant cost, which was never utilised. The new NIC, which has been issued for a couple of years now, also includes such a magnetic strip, again unutilised. Sri Lankan passports have a magnetic strip that contains information, which is used by Immigration officers at Bandaranaike International Airport (BIA) for departing and arriving passengers, and also used by foreign immigration authorities.

The current idea for a digital identity card is not new either, having been floated nearly a decade ago.

Many private sector organisations already collect information on customers, especially employers, hospitals, supermarkets, airlines, hotels, and banks. These are manifested mainly in the form of loyalty cards or ATM cards, and so do multinational firms such as Google, Facebook, LinkedIn, Apple, and Microsoft. Your Apple ID, Google account, Microsoft account, and many other “accounts” have multiple uses that are actually global in reach, allowing you to access your diverse digital accounts from anywhere in the world, whether you’re sitting in your living room or at work in a scientific station in Antarctica.

Many foreign governments also digitally collect our information, including our fingerprints, when we apply for visas.

Even some vehicles have digital identity cards in the form of the electronic toll collection (ETC) card that is stuck to the windshield of every vehicle that has been registered for passage through the ETC lane on the E03 Airport (Katunayake) Expressway.

Collection of citizens’ data by the Government

Collecting data on a population by a government is not at all unusual anywhere in the world. In Sri Lanka, we have literally dozens of different government, semi-government, and local government bodies that collect our data, literally from before we are born through our lifetimes and even many years after our deaths – government bodies such as the Registrar General’s Department for birth, marriage, and death certificates; Department of Census and Statistics; Elections Department (Commission); Registrar of Motor Vehicles (Department of Motor Traffic); Schools, Ministries of Sports and Education; Department of Examinations; Police Headquarters and local police stations; Inland Revenue Department; Sri Lanka Customs; grama niladaris, local government, and provincial government; Department of Pensions; Central Bank of Sri Lanka; Samurdhi Authority, agricultural authorities, and fishermen’s societies; etc. – you get the picture.

Thus, governments actually know a lot about every one of us, including where to find us within a few hours if they want to. What a single digital card would do would be to – in theory, at least – serve as a central point for all of this information that a government already has within its many disparate arms, for the benefit of both citizens and the government.

Multi-functions of one card when used optimally

But such cards also often have a variety of other functions and benefits. In addition to its primary function as a validation device, the NIC may, as part of the Government Multipurpose Card (GMPC) initiative, also serve as a useful driver’s licence, an ATM token, an electronic purse, and a public key, amongst other applications. The card shows many data items and carries different data categories in the chip, including biometrics, which are used by several government agencies and configured for extensibility and “feature creep”.

It could also facilitate safe internet electronic transactions. These include online returns of taxes, safe e-mail, and e-commerce. A new NIC payment model (NPM) has been proposed in many countries in accordance with the emergence of the e-commerce payment system, and thus another NIC feature, which is not only for identification purposes but also for e-commerce transactions, is brought to light.

In order to make this payment model appropriate to the public, two problems should be addressed: The question of trust and protection and the question of results. Two digital certificates can be used in the NIC’s public key infrastructure (PKI) programme.

The authors propose that the new NIC can be integrated with 10 (or more) functions as shown in Figure 1:

•Identification card and photo driving license:

·Name of cardholder

·NIC number

·Nationality

·Date of birth

·Sex

·Place of birth

·Date of issue of NIC

·Residential address

·Thumbprint

·Barcode (NIC number can be retrieved when the barcode is scanned)

•Travel document in Sri Lanka and several neighbouring countries

•The card is intended to minimise the congestion at the borders by allowing the use of unmanaged gates with biometric identification (fingerprint) but is still required for international travel

Figure 2 provides examples of the advantages of such a card.

The inclusion of some multi-functions such as e-voting is likely to require Acts of Parliament or amendments to existing legislation.

 


Appointment and scheduling system for government

Even today, many police stations, MOH (Medical Officer of Health) offices, and local government offices around the country have citizens waiting in long queues to speak with officials and obtain some product or service, from a curfew pass to a driver’s license. It would be far simpler if a digital system would be used based on digital NICs to make appointments, so that there is minimal waiting and hassle. In the era of Covid, standing in a crowd or queue is also deathly dangerous. The system is also highly unequal, where more influential citizens get served faster than average members of the public.

In the UK, for example, Covid testing in many towns requires citizens to make appointments online and present their identification at the testing centre.

The development of public and private sector appointments and scheduling applications allows users to make their own appointments. The online scheduler helps the constituents to easily make, amend, and cancel their own appointments at the click of a button from bodies such as those handling visas and passports, appointments to parks and recreational facilities, etc. It is a cost-effective way to tackle multiple goals simultaneously.

Smart card e-payment can be considered as one requirement for the successful creation of NIC PKI in the e-commerce sector. Smart cards are either used for storing money in smart card e-payment or to enhance the protection of e-payments.

To use smart cards, a hardware system that interacts with the chip on the smart card must be a smart card reader. For example, personal and electronic cash registers can be attached to the reader.

The NIC can be used for payments at toll gates, station charges, and bus and Light Rail Transit (LRT) rates for transportation. It offers fast and easy transactions, functioning as an ATM card for banking applications. Cash withdrawal, balance inquiry, and the transfer of funds are part of the functions. The PKI maintains confidentiality, integrity, non-repudiation, and authentication.

Importance of data protection

One important area any government needs to address when implementing a digital identity card is how a citizen’s data would be protected from theft by others, when included in the new card. This includes theft by commercial organisations, foreign commercial organisations, and foreign governments.

Who would be authorised to access the information in a card? How can citizens be confident that such information will not be accessed by the wrong types of individuals for illicit purposes? Which institutions would be authorised to have card readers/scanners to read these cards? Certainly, local police stations, hospitals, etc., but who else?

What would be the criminal penalties for hacking/stealing/changing information on the cards? If a card is misplaced, what would be the procedure to invalidate the card, and who would be authorised to do so? The present system is extremely cumbersome. If a card is invalidated by accident or by wilful action, what would be the procedure to revalidate it?

Another important aspect is that there must be a streamlined procedure to correct any incorrect data on a card. If incorrect data of a criminal is included into the card of a priest, what would be the procedure to correct it swiftly?

As with anything else, it is in the use of such a tool where there needs to be execution. It’s easy enough to collect the information and include it in one system which would generate the cards, but it would be imperative that the relevant authorities be equipped with card readers. If police stations aren’t given readers, then you would simply have crowds of people with digital identity cards standing outside police stations and filling out forms anyway. For example, the white driver’s license issued by the Department of Motor Traffic in the 90s was of no use, although it had a magnetic strip, simply because traffic police had no way to access any information that may or may not have been stored on it.

Conclusion

Digital NICs can be powerful and useful tools, if used for maximum benefit. But it is imperative that sufficient safeguards are set in place to protect the rights of citizens and prevent the abuse of the information by any foreign or local party. It is also imperative that measures are set in place to broad-base the usage of such cards so that they would make life easier for citizens.

(Dr. Nicholas Ruwan Dias and Niresh Eliatamby are Managing Partners of Cogitaro.com, a consultancy that finds practical solutions for challenges facing society and different industries.

Dr. Dias is a digital architect and educationist based in Kuala Lumpur. He holds a BSc in Computing from the University of Greenwich, a Master’s in Computer Software Engineering from Staffordshire University, and a PhD from the University of Malaya. He is completing a second doctorate in business administration from Universiti Utara Malaysia. ruwan@cogitaro.com.

Niresh Eliatamby is a lecturer in marketing, HR, and mass communications based in Colombo. He is an author and was formerly Associate Editor of a newspaper and Editor of various industry magazines. He holds an MBA from London Metropolitan University and an LLM from Cardiff Metropolitan University. niresh@cogitaro.com.)