What is good accountability?
Leading experts on privacy, law, digital identity and rights advocacy agree: ID systems that allow users to hold the system creators and implementers accountable are one of the ways to build Good ID. But they also agree that today, in 2019, we’re a long way off.
“Accountability” can be defined differently in different contexts. In the vision of a “good” digital identity system, the ideal “accountability” usually refers to a mechanism for holding the system designers, owners and implementers to account – to be able to literally trace, contact and where necessary, challenge those responsible for the identity-related product or service to make changes to protect things like user rights and to safeguard from harm.
Nathalie Maréchal, Senior Research Analyst at New America’s Ranking Digital Rights program, explains: “The first law of accountability is transparency. Because if you don’t know what a government agency is doing, you can’t possibly hold them accountable. Crimes that occur in secret don’t get prosecuted.”
Elizabeth M. Renieris, founder of the hackylawyER consultancy and fellow at Harvard's Berkman Klein Center for Internet & Society, notes that “when we talk about transparency and accountability in the context of digital identity-related products and services, we’re generally talking about legal frameworks around data, such as data protection laws.”
ID issuers’ accountability begins with transparency and formal legal protections. But it doesn’t stop there. For accountability to be in place, it needs people.
As Kaliya Young, self-sovereign identity and identity on the blockchain expert, author of Key Differences Between the U.S. Social Security System and India’s Aadhaar System, and co-author of A Comprehensive guide to Self-Sovereign Identity and Identity Woman observes, for accountability mechanisms to exist, you need the public on board so they will work in practice.
And Maréchal agrees. She posits that working accountability mechanisms provide the ability to correct factual errors. “The argument is not that you should be able to say ‘Oh, I don’t like what’s in this file, therefore you should change it’,” she says. “It’s more about actually correcting errors, like ‘My birthday is wrong.’ It’s about verifying things.”
Data as nuclear waste: why accountability is important
While Good ID is a fully realistic goal, the three experts suggest an identity system that is fully accountable is yet to be achieved. Without accountability, they argue, Good ID will fall short of its ultimate goals.
“More and more I think of data the way I do about nuclear waste,” Maréchal explains. “Nuclear energy is here to stay, and there are good uses of it, but … you have to think through very, very carefully what the safety protocols and procedures are going to be, what you would do in the event of an accident – rather than just assume that there will be no accident, and so on.”
She continues: “In the same way that once radioactivity is out there you can’t call it back, once you have a data breach or once [you have] built a system for some of the more concerning uses of surveillance, you can’t just call it back so easily. And so, it’s really important to treat any uses of data as something that’s really sensitive and requires a lot of responsibility and accountability.”
Companies like Facebook, Yahoo, Equifax, or Marriott have each been in the news over the past few years for breaches of personal data – the building blocks of digital identity. All have accountability mechanisms available for users and customers, like Facebook’s data misuse reporting mechanism. But without the organizations reporting on uptake, whether customers use such mechanisms is difficult to find out.
Renieris notes that when these stories break, “people often feel powerless in response to each new data breach.” She continues, “That powerlessness is due to not knowing about or understanding how to hold organizations accountable for these breaches of trust. Even with formal mechanisms in place, they are not always clear or effective to access or implement.”
Accountability in practice, or lack thereof
While these experts agree accountability mechanisms that do exist aren’t widely used, they also agree in some places, accountability is lacking – or less than ideal.
For instance, Young notes India’s supra-national database, while accountable to the courts, “is self-regulated by itself. So, it's made to be its own regulator, and has almost no accountability to an actual government outside of itself.”
Maréchal identifies the “Cambridge Analytica scandal, implementation of the GDPR in Europe, genocide in Myanmar, the Brexit vote in the 2016, and the US presidential election” all as illustrations of “what the negative externality is of the datafication of everything.”
This lack of external accountability can be problematic. As Maréchal summarizes: “accountability is only possible if you have this kind of give and take in society that – in the U.S., we refer to as the balance of power – that different actors in society hold each other accountable for what each other do.”
The experts don’t just see these issues cropping up in political scenarios. As Renieris notes, large, data-handling corporations are also struggling to implement accountability mechanisms that work, even where they have taken steps to increase transparency.
“Facebook, Alexa - all these things are really good examples of transparency. They’ve got their notices about their policies – a whole lot on that end of the spectrum, and very little on the accountability side,” she says. “Despite sometimes clear violations of their own privacy policies and notices, it is almost impossible for individuals to bring actions based on civil, political, constitutional, or human rights grounds, so there’s often a real imbalance.””
Steps in the right direction
Maréchal notes there’s a lot of different ways to hold companies and governments accountable, including legal action, investigative journalism and advocacy – like Ranking Digital Rights’ annual Corporate Accountability Index pushing internet, mobile and telecommunications companies to be more transparent.
“The problem of how different elements of society hold each other accountable to make sure that the public interest and human rights are respected is not a new problem,” she says. “But as society continues to evolve and change with the new technologies, our accountability mechanisms have to evolve as well.”
Renieris believes any pathways, steps, and mechanisms to challenge rights violations need to be laid out clearly for uptake by any user or citizen.
Young still believes the state must be held accountable, because they are usually the legal issuer of IDs.
“States have a role in being a backer of people's ID. As noted by Mawaki Chango, we’ve managed to build a world in which that is the case by accident,” Young suggests. “But I don't think there are enough conversations about how these data systems are managed, and how integrity and accountability with their use and access is managed.”
One example of an unintended lack of accountability lies in India’s Aadhaar system, a digital identity system that has enrolled more than 1.2 billion people. The Indian Supreme Court’s 2018 ruling upheld the constitutionality of Adhaar but limited its use, highlighting the potential for unintended consequences in a vacuum of accountability.
The Supreme Court judgement states on pages 92-93 that the Aadhaar project is “destructive” to the principle of Limited Government, and encourages a “totalitarian state” by not allowing citizens to conduct activities like operating a bank account, receiving food rations or operating a mobile phone without the state knowing, or by making Aadhaar “compulsory for other activities such as air travel, rail travel, directorship in companies, services and benefits extended by the State.”
The judgement continues on page 94: “This is an inversion of the accountability in the Right to Information age: instead of the State being transparent to the citizen, it is the citizen who is rendered transparent to the State.”
“It’s a complete inversion of what the law intended,” Renieris notes of Aadhaar. “What we need to do is flip that back on its head, because this inversion of the accountability principle is how we ended up in this situation.”
She continues that this trend isn’t limited to India or Aadhaar, but affects individuals globally:
Whose responsibility is it?
For Young, “accountability” relies on “creating new institutions and securitized pseudonymity. These new things of securitized identities are ways to get … accountability and the need to support freedom.”
As Young explained, the use of pseudonyms backed up by a securitized system will allow people to have control over their identity. Moreover, it will also allow misconduct under these pseudonyms to be prosecuted and the user to be held accountable if they commit fraud or other crimes through self sovereign identity and distributed ledger technology combined, as misbehaving users will still be able to be traced.
For Renieris, accountability relies on having a clear path to hold governments and businesses to account.
“I think the hardest challenge in this area is that the effects are so dispersed, and the net aggregate effect on our lives is so hard to map and measure even though we all know that there are indeed very deep impacts and effects on us,” she said. “You may have transparency, but you cannot exercise or enforce your rights without a clear path for doing so--that’s accountability.”
Whose responsibility it is to ensure that these paths exist is disputed, although all experts agree they are necessary.
Young suggests it’s the responsibility of the individual to look after their identity, pseudonymous or not, but up to the institutions to uphold the rule of law and protect the individual’s rights to use that identity.
Maréchal agrees, but believes there are two institutions that this responsibility falls to:
But she also believes there is a key responsibility for the private sector to be held accountable under the UN Guiding Principles on Business and Human Rights.
“Businesses have a responsibility to respect human rights, including privacy, even in cases where the government is unable or unwilling to do that,” Maréchal notes. “And that can take a lot of different forms.”
Renieris believes civil society organizations can also play a role in holding both governments and businesses to account.
“There are limits there, but look at what’s happening in Hong Kong with what started in part from concerns around sharing citizens’ payment information with government authorities for secondary and tertiary purposes,” she said. “I honestly think that the best examples of holding people to account are going to come from old-school, grass-roots, protest-type movements. I’m optimistic there might be a resurgence of that type of thing.”
Movements like Better Identity Coalition, the World Bank’s ID4D program, the UN High Level Panel on Digital Cooperation, the #GoodID movement, ID2020, the Internet Identity Workshop and others are attempting to bring governments, business, and civil society together with individual users and citizens. These groups agree with all the experts: it’s governments’ responsibility, businesses’ responsibility, and civil society’s responsibility to hold one another to account – and to hold society to account at large.
Only when all these actors work together can we hope users and citizens will not only know how to hold organizations who use their data to account, but also will be able to act upon this knowledge.