On October 2, the Bangladeshi government inaugurated Smart National ID cards (NID) as part of their Digital Bangladesh initiative, aiming to distribute the cards to 100 million people in Bangladesh.
The NID cards replace existing laminated cards used by the Election Commission, but they have many other functions. Banking, passport details, driving licenses, trade licenses, tax payments, and share trading are among the 22 other services that can be accessed through the cards, with more to follow. The cards will also be associated with an individual’s mobile phone SIM card. Once issued, they will be valid for 10 years.
— Nurunnaby Hasive (@nhasive) October 4, 2016
The cards hold biometric details of the cardholder: impressions of all ten fingers, as well as pictures of the iris. In total, 32 types of unique citizen data will be “embedded within its microchip,” according to Election Commission officials quoted in The Daily Star.
The first recipients of the cards were the President, Prime Minister Sheikh Hasina, and members of the national cricket team, including the team's captain, Mashrafe bin Mortaza, who tweeted:
— MASHRAFE BIN MORTAZA (@mashrafebd) October 2, 2016
Cards may reduce forgery, but create new security challenges
The government has explained that the cards are intended to curb forgery: previously, laminated cards used for voting were relatively easy to copy and forge. The Election Commission says the machine-readable cards include “25 features” designed to prevent forgery. In 2014, law enforcement discovered a set of more than 50,000 fake IDs generated for fraud or other intents in the country. EC Secretary Sirazul Islam also said that “forging the smart NID cards would be almost impossible.”
But with this much personal information being collected on every single citizen, especially personal data that cannot be changed if it is ever leaked or compromised (ie. the fingerprints of an individual), there are major concerns regarding the security of this data. A breach or leak could put individuals privacy rights seriously at risk.
Protecting these databases may prove difficult. EC officials say citizens’ data are safe from unauthorised access as the database servers are “fully protected”, but there have been no explicit mentions of how the data is stored, and whether or not it is encrypted.
Leaks and hacks of important data in the country have had serious consequences in the past. In April 2016, $81 million was stolen from the Bangladesh central bank, the majority of which remains missing. In other areas of the world, huge leaks of personal data are not uncommon – earlier this year, personal data of 50 million Turkish citizens was put online.
And there are reportedly already technical glitches. On the first day of card distribution, bdnews24.com reported that many citizens had to leave without the smart ID cards after providing their biometric samples, due to a “software malfunction.” Others complained of more human errors, such as being unable to locate the proper distribution centres.
…difficulties are being faced in cases where the fingers are scarred, or the lines on fingers have become unclear owing to heavy manual labour.
Biometric data collection en masse has also generated unexpected problems, specifically fingerprints: a technical staffer of the Election Commission was quoted saying “difficulties are being faced in cases where the fingers are scarred, or the lines on fingers have become unclear owing to heavy manual labour.” This is likely to be a recurring problem given the large percentage of the population in Bangladesh employed in manual labour, or who have been in the past. This brings with it questions of sustainability: If a person gives their fingerprints now, and then engages in manual labour for 10 years, will they still be recognisable by the system?
Privacy and surveillance concerns
Linking so much personal data together in one card and one database also brings with it key privacy concerns.
Many lessons can be learned from neighbouring India where the Aadhaar card has been in development much longer. Indian lawyer Bhairav Acharya has analysed many shared concerns considering the biometric data gathered by the Aadhaar project, considering who the data might be shared with, and any what recourse can be sought against misuse of the data. Another similarity between the two systems that raises concern for Acharya is that once collected, an individual’s biometric information remains in the government’s possession for an indefinite amount of time.
Writing in the Indian Express, Pratap Bhanu Mehta raises concerns around the database structure, and how the data will be shared. In Bangladesh’s case, given the multiple functions of the NID, data from the cards will likely travel between government agencies. Granting this type of access to multiple governmental bodies will thus introduce multiple potential points of vulnerability to malfunctions, and to breaches or attacks by malicious actors.
If having the card is required to participate in public life (for example, to pay taxes, to vote), and personal biometric data is needed for the card, it by definition violates key prerequisites for voluntary consent of individuals. NID cards are also associated with an individual’s SIM card, if they have one – which means the government could potentially connect data around an individual’s telecommunications habits together with all the other data points associated explicitly with the card.
The creation of this database opens up thorny issues around government surveillance, too. As the database is built up, who will gain access to it?
Though issues of national security have not yet been mentioned, building such a comprehensive database of individuals in the country brings with it possibilities of using that database to identify people for criminal activity. In India, there were moves earlier this year to pass new provisions on national security regarding the use of the database. Changing the purpose of the data collected in such a dramatic way again violates the purpose of the initial collection. But withdrawing consent or an individual’s data does not seem to be an option.
Citizens’ reactions? Mostly positive.
While the Aadhaar project has been the subject of much discussion in India precisely because of the privacy risks it brings with it, there appears to be less concern in Bangladesh.
— MasudKarimমাক (@urumurum) October 4, 2016
Early recipients of the card seem to be excited by the possibilities that this brings, despite again mentioning the technical glitches that have happened so far.
Writing on Facebook, one citizen said:
This is one of the grand success of this Awami League Govt to prepare and distribute the Machine-readable Smart National ID Cards among the almost 10-crore citizens.
Others expressed gratitude to the Prime Minister for “building up a digitised country so quickly.”