Over six months ago, the Tunisian government launched the country’s first digital legal identity program, its “Mobile ID” or “e-houwiya” initiative. Based on mobile phone numbers, the Mobile ID program has been touted as part of a wider shift towards digital public administration that will make people’s lives easier. But the lack of transparency and public information around its development has left civil society organizations deeply concerned about the impact on Tunisians’ privacy, data protection, and digital security.
What is “Mobile ID” and why is it problematic?
On August 3, 2022, Tunisia’s Prime Minister Najla Bouden launched the “Mobile ID” program on a pilot basis until the end of 2022, giving every Tunisian citizen with a mobile phone number the option of an electronic legal identity. The two-factor identification method uses a login-password pair, composed of a 10 digits identifier and a secret code. Whenever the ID is used, it must be verified via an authentication SMS sent to the user’s mobile phone number. The Mobile ID can then be used to access platforms such as the “e-bawaba.tn” portal for official electronic documents and digital administrative services or the “e-barid.tn” platform, providing citizens with an official email address for communicating with authorities and public institutions.
However, the services provided by these multiple platforms involve collecting and processing large amounts of sensitive data, which creates technical and legal challenges, and threatens to undermine personal data protection and security. The more data is collected and the more stakeholders involved, the greater the chance of data being misused, leaked, or hacked, and the higher the risk of harm to real people. We have already seen this happen when similar systems were deployed in countries such as India and Argentina.
Moreover, there is a risk of the Mobile ID program widening social inequalities in Tunisia, since using these services demands a minimum level of digital literacy, as well as access to increasingly expensive technology such as smartphones and internet connectivity.
How weak data protection rules make the Mobile ID program unsafe
Tunisia’s existing data protection legislation, the Organic Law 63/2004 on Personal Data Protection is long overdue an update to meet the country’s international commitments to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Treaty No. 108) and its additional protocol 181. There are concerns about the (lack of) independence of the law’s overseeing authority, the Independent Authority for the Protection of Personal Data (INPDP), as well as clear examples of both public and private sector actors flouting the law without repercussions. For instance, Tunisia’s newly-adopted Decree-law 54 on information and communication systems, which was passed without any consultation with the INPDP, will allow authorities to store and access records of all electronic communications based on vague grounds – a clear threat to freedom of expression.
This is the worrying context into which Tunisia’s ICT Ministry launched the Mobile ID project; one where users’ data protection and privacy are low on the list of priorities. It is no wonder then that, by the end of 2022, only 36,466 citizens had opted in to the program, and that I Watch Organization, a Tunisian anti-corruption watchdog, is challenging the legality and safety of the “e-barid.tn” platform specifically, warning citizens against using it.
Why civil society needs to be part of the discussion
As with the launch of any digital program impacting people’s fundamental rights, Tunisian authorities should have engaged with civil society, independent experts, and the general public at every stage of the Mobile ID program’s design, development, and deployment. Such consultation is essential to foster transparency and trust, and to ensure human rights are being safeguarded. For the same reason, proactive data protection and digital security impact assessment studies should have been conducted to evaluate threats and risks to users, and to understand the amount of resources needed to ensure high levels of protection and efficiency.
Unfortunately, this does not appear to have been the case so far. To date, Tunisian authorities have also ignored a civil society request, co-authored by Access Now, the Tunisian Forum for Social and Economic Rights, the Tunisian League of Human Rights, Al Bawsala, and Avocats Sans Frontières, for additional clarification on several key program elements, including information about the kind of personal data collected and processed, the digital security standards used, which institutions can access the data, and whether any impact assessments were in fact conducted.
If the Tunisian government wishes to foster public trust in its wider digital transformation agenda, they must open the Mobile ID “black box,” and reveal its inner workings to civil society, independent experts, and the public at large. The government must conduct open, transparent consultations not only on the Mobile ID program, but on all projects that may impact Tunisians’ privacy, data protection, or digital security rights. In the same spirit, we encourage Tunisian authorities to seize this opportunity to reform existing data protection rules, and to place human rights at the foundation of any and all digital reforms in Tunisia.