Photo: Unfold Stories / Simon Davis

Good Conversation is as Important as Good Technology

Dr. Isaac Rutenberg is a practicing patent attorney and Director of the Center for Intellectual Property and Information Technology Law (CIPIT) at Strathmore University in Nairobi, Kenya.

He shares key considerations for issued ID in Kenya – critically – whose needs are served by a new system, and why the public debate needs to be both engaging and nuanced if we are to see better outcomes and real value for ID users

This interview series explores different technology choices applied by government, business, academia and nonprofit organizations as well as innovative technology entrepreneurs to contribute to a thoughtful debate on digital identity policies, practices, and technologies.

In the third feature in the series Dr. Isaac Rutenberg shares his views. Dr. Rutenberg is a senior lecturer and director of the Center for Intellectual Property and Information Technology Law (CIPIT) at Strathmore University in Nairobi, Kenya. Dr Rutenberg earned a doctorate in chemistry before training to practice law.

Dr. Rutenberg highlights the potential pitfalls when technology drives changes in the issued ID system, and the need for vigorous public conversation around legal issued ID system design.

Ready for the conversation: Dr. Rutenberg

What’s the focus of your work, and how does it relate to Good ID?

CIPIT is an academic based think tank. Originally our research focused on information controls and how government, the private sector and others use various means to control the information available, and also the way that it is delivered, the physical and digital infrastructure.

That work has evolved into a larger look at data protection and data privacy, which was actually brought about because of the Kenyan government’s seemingly perpetual efforts to try and pass a data protection bill*.

Of course, it's a huge issue worldwide, so we’re looking at our research from a Kenyan perspective and also a broader East African and African perspective. As part of that data protection work we naturally migrated into the area of ‘good identification’, digital ID and identification in general.

Can you tell us a little about the changes to ID systems in Kenya?

There are many types of ID systems in Kenya, but let’s talk about two types: the type that has been around for a long time, and the type that’s either about to be rolled out or is in the process of being rolled out. The national ID is an example of the former, and NIIMS (the National Integrated Identity Management System, also called Huduma Namba) is an example of the latter.

The question is: what need is being served by replacing existing systems? For example, I would say the current national ID system is not necessarily broken. Absolutely, there are things that need to be improved about it.

Most of those [improvements] are in service delivery, like getting an ID within a reasonable amount of time and not having to wait too long or not needing onerous amount of documentation to apply for it. Also there are reports of a significant number of fake and invalid IDs.

NIIMS is a new integrated and centralized system for which initial registration is being carried out in April and May of this year. The system is integrated because it interfaces with numerous other ID systems (healthcare, social security, tax payer ID, etc.), and centralized because it actually contains data from those other ID systems.

It is not clear, however, why such a system is fundamentally better. It’s possible that the integrated system does not want to replace the national ID, but the government has not really explained how the integrated system and the national ID will work together, if that is the plan.

Furthermore, from a data protection or a data security perspective, centralized systems are usually worse. They are much more susceptible to data breaches (because the value of the data is greater), and data breaches have far greater consequences. For example, we saw in the election in 2017 that the voter registration system was quite un-secure.

In the case of NIIMS, any data loss would provide an enormous amount of information about individuals, including biometric information. The government has not said much about the security of data, and we have already seen reports and evidence of breaches even in the initial registration phase of NIIMS.

What are the key considerations you see for how digital ID systems are being implemented in Kenya?

The average Kenyan citizen has several identification numbers - a national ID, the national healthcare system, the national social security system and others.

With the proposed new NIIMS system, the idea is that those services will be better delivered. But I think it's unclear how the new ID number will affect the average person who already has those identifications.

It may help on the fringes where people are having trouble getting such identification [cards], perhaps now they only have to get an ID once, or the centralized system will assist them with getting other forms of ID.

In theory, these are possible outcomes, but again, we don’t know how the centralized system will interact with other ID systems.

And, for someone who has already been registered for all these different programs, it’s unclear what the benefit will be.

Where a system is being mandated for an entire citizenry, and where that system will potentially infringe on basic human rights – one of those being privacy – for all the benefits that the system is supposed to provide, you need to really keep in mind that these systems should, at worst, do no harm.

Centralized systems are prime targets for data breaches, and biometric verification systems can be less than 100% reliable – both of these issues have the potential to do harm.

Balancing these issues is a tricky thing to do when you're trying to deal with population-level programs. There are always going to be people who benefit and other people who have bad experiences.

The more something becomes ingrained in everything we do, the more you have to make sure that you take a careful look at how it's affecting basic human rights, and one of those needs to be privacy.

Of course, the human rights of health and other things that they're trying to provide, those are absolutely important too, one should not be sacrificed for the other, ever. Kenya has a national healthcare system known as NHIF (National Hospital Insurance Fund).

Since NIIMS is intended to be tied to NHIF, in theory, the government could refuse health care to someone not registered on NIIMS even though that person is registered with NHIF.

Perhaps more problematic is the possibility that the NIIMS biometric system fails to validate a person requesting service, and that person is refused healthcare.

Some of these possibilities are difficult to balance - but the conversation needs to include these issues, and needs to involve the population that will be subjected to the proposed ID system.

How do you personally define what constitutes a digital identity?

A digital identity is any digital system that determines who a person is, and what sort of services they are entitled to receive.

National IDs are the most obvious form of ID, but we live in a world with a growing number of forms - phone numbers, email addresses, and social media accounts are all forms of digital ID.

The landscape of digital ID is expanding rapidly, and along with it, our “digital wake” is also expanding.

Should technology be the driver or the passenger of Good ID?

Technology should never be a driving factor in government services. It’s not the role of government to demonstrate new technologies.

Government should be using technology, of course, but to say “there's this great new technology, let's implement it” - that should never be a reason for doing anything from a government perspective.

The driving factor should always be service, defined broadly - providing entitlement services, securing the country, and strengthening systems or institutions are examples of providing services.

Of course, data protection and data security cannot be guaranteed solely by the law. So although technology should not be driving the process, technology should absolutely be involved when it’s appropriate.

For example, the government has a duty to use the most secure systems that they can reasonably access, and that includes certain levels of encryption, security in terms of access, all of that. That’s absolutely critical.

Beyond the technology, what role do you think politics plays in ID systems, and how can we best engage so politics can support Good ID?

Identification of the people should not be a political issue in any way at all. I understand many of the reasons why it is.

It’s unfortunate in a region where your identity determines so many things; your identity in many ways determines the community that you belong to at the most fundamental level. And that influences a lot of aspects of politics.

I think politics should not be an issue when it comes to identifying people and providing services. All of the basic services of government should be completely apolitical, and to make them anything else is an abuse of trust and power.

There are laws that state who is entitled to the various forms of ID and services, and those laws should be followed. The lawmaking process may be political, but the implementation should not.

What kind of structures would mitigate that issue of politics being too closely involved in this?

At the end of the day, regardless of political affiliation, you need accountability and transparency. If politics starts becoming a factor in who is being identified or what services are being provided or what resources are being made available to them, you need good institutions that can stand up to that encroachment.

I'm not going to say exactly what accountability and transparency are, apart from specifying that there needs to be independent accountability.

Whether that is in the form of a judiciary or in the form of an independent check somewhere in government, it’s not for me to say which is the right way to do it, but something needs to be there to hedge against the very real temptation to make this a political issue.

I appreciate it’s a very in-the-weeds, nuanced conversation that needs to be had, and you have to convince some people to have that conversation, but others are extremely ready for it

Which developments on the horizon related to ID will you be paying closest attention to this year?

Apart from NIIMS, I'm very much focused on the Kenyan data protection bill. Two different versions are pending.

The Kenyan government has tried to pass them before, and I think it's really critical that it does so. I would like to see an increased awareness by the population.

I would like to see somebody, whether that’s CIPIT or one of our collaborators or someone unknown to me entirely, someone figuring out a way to make this topic one that people care about, one that increases public participation in these issues from a very balanced perspective.

There's the government saying “we need this for security”, “we need this for services”, and there's private sector saying “we would really like this for credit scores” and for whatever else they want to do.

I haven't seen a civil society organization that has really gained a lot of traction in leading what needs to be a larger national conversation.

These competing interests are not really well communicated on a regular basis and in an effective manner. I would like to see the development of a more balanced conversation about these issues - security, linked services, privacy, and so on.

One of my main goals for this year is to develop some sort of a platform where people can access stories.

For example, I know anecdotally that one of my colleagues had her identity stolen - but how do we make that information more accessible to people, so that they can see the real risks that people are facing to issues of privacy, to issues of security?

What do you feel is the biggest opportunity for Good ID in Kenya going forward?

We have the opportunity to think about how this all fits together and to learn. In India, for example, they went forward with a system, it seems, without appreciating the risks, and only in hindsight now are they starting to understand what those risks are.

It’s been a process that has taken many years, a lot of research, and even a court case in the Supreme Court of India.

We’re in a really nice position where we can learn from that. We don’t have to see the same negative impacts that others have seen.

I appreciate that it’s a very in-the-weeds, nuanced conversation that needs to be had, and you have to convince some people to have that conversation, but others are extremely ready for it.

That’s really all we're pushing for - to see that conversation happen, rather than a system rolled out without due diligence.

  • Dr. Rutenberg was interviewed in April 2019.

Data protection and digital identity programs in Kenya

Kenya does not currently have a generally applicable data protection law. However, there are various legal sources that address data protection, including the Constitution of Kenya 2010, the Access to Information Act 2016 (applicable to public bodies), Health Act 2017 and the Computer Misuse and Cybercrimes Act 2018 (Source: DLA Piper, 2019).

Currently, there are two draft data protection bills (one has already been submitted for consideration by Parliament, and the other is ready to be submitted to Parliament), although there are recent reports that the two bills will be harmonized.

On April 1, a three-judge bench of Kenya High Court ruled the government could proceed with NIIMS. However, the Court ruled:

  • Registration in the digital identity program should not be mandatory
  • Access to government services should not be tied to registration status
  • There should be no deadline to registration
  • DNA and GPS information should not be collected; and
  • The Kenyan government should not share the data collected with third parties until the legal cases are determined.