Tunisia plans to set up a unique identifier system as part of its “Digital Tunisia 2020” plan. Through this initiative, the government hopes to create jobs, promote socio-economic development, and make the country an international digital “destination.” Now, in the wake of the COVID-19 outbreak, these plans are on a fast track.
On 12 May 2020, Prime Minister Elias Al-Fakhakh, in collaboration with the Minister of Local Affairs and the Minister of Communication Technologies and Digital Transformation, issued a governmental decree to set up a system for national unique citizen identification, and a second decree on 15 May to clarify its implementation. According to Fakhakh, the Tunisian government decided to pass the decree on the unique identifier as one of the top priorities for dealing with the COVID-19 crisis.
But is a unique identifier system truly necessary? And if so, is it designed to protect Tunisians’ privacy and other human rights? This post aims to give you basic information, while flagging questions and concerns about whether the system will safeguard your rights.
What’s the general concept behind the initiative?
The impetus for establishing a unique identifier is to gather together information about a person, such as their identity, civil status, social security, income, tax information, and much more, using a single code. The code would allow multiple state entities to access consolidated information about a citizen. This in turn is intended to enable better and faster processing of requests that Tunisian citizens, as clients of the government, make of Tunisian government administrators.
From what we know so far, establishing an identifier could help address a number of socio-economic problems. However, there are some ambiguities in the decree that may prove troubling and could ultimately hinder the success of the initiative, in particular with regard to Tunisia’s Independent Data Protection Authority (INPDP) and the way personal data of Tunisian citizens will be protected — including questions of who can access personal data, what approval will be required, and whether individuals will have the ability to control what data is stored and how it is shared. We also still don’t know if the government will use a centralized system to collect and store people’s personal data, as the recent governmental decree does not provide clear details on that front. Centralized systems present significant security risks, because gathering such information in one place makes it more susceptible to breach by malicious actors or abuse by public authorities.
Further, the absence of public consultation with civil society for the initiative does not comport with the “multi-actor” participatory model the Tunisian government is trying to follow by involving the INPDP.
What exactly is the unique identifier, and when will the Tunisian government endorse it?
The unique identifier is a code consisting of 11 numbers assigned to one person and associated with key pieces of their personal data. It would be assigned to any person of Tunisian nationality, including those born in the country, to Tunisian nationals born in a foreign country and registered with Tunisian diplomatic or consular missions accredited in the host country, and to those who acquire Tunisian nationality.
These codes would be kept in a newly created “Register of the Unique Citizen Identifier” managed by the Ministry of Local Affairs under the supervision of the INPDP.
The unique identifier is intended to “support the governance of state interventions and, in particular, advance their efforts to counter the consequences of the COVID-19 crisis,” according to Lotfi Zitoun, the Minister of Local Affairs.
This new system aims to reduce the number of national and sectoral information systems, and facilitate the process of establishing a unified mechanism for online administrative services. In other words, the unique identifier system will unify the information about Tunisian citizens that exists in multiple administrative services, but in doing so, it will increase the risk of unlawful access, as we mention above.
According to Chawki Gaddess, the president of INPDP, the project will be put into action in mid-September 2020.
Civil society concerns
In a global context where many governments are rushing to implement new tech programs to demonstrate they are effectively responding to COVID-19, we are skeptical about the push for a new identity program in Tunisia now, despite the benefits its proponents hope to achieve. In countries with similar systems, such as Estonia, people have become the victim of breaches impacting the security of data, despite huge government investment in this area. Incidents like that remind us that no matter how much a country invests on cybersecurity, our information is never 100% secured. That is why international experts advise against putting in place centralized systems. Decentralization can reduce the scale and scope of potential breaches.
In defining the technical aspects of this project, the Ministry of Local Affairs needs to avoid a centralized approach and ensure that the unique identifier’s platform is based on models for secure communications, including providing end-to-end encrypted traffic as far as possible.
The Ministry of Local Affairs also stated that the INPDP confirmed that the project complies with Tunisia’s existing data protection law from 2004, but that is a flawed framework deeply in need of reform. As we stated before on multiple occasions, including during the leadup to the 2019 elections, Tunisia needs to put in place a robust data protection framework to which the unique identifier system would be subject. Current data protection law and regulations in Tunisia do not provide adequate safeguards or guarantees for personal data protection that conform with international human rights standards.
A draft bill to strengthen data protection in Tunisia has been under consideration since 2018, but the government has not made it a priority to move it forward. Ahead of a unique identifier — along with any other projects impacting Tunisians’ privacy, such as contact tracing — the government should move quickly and in consultation with civil society to update the data protection bill, and it should be included as part of the Parliament’s agenda for dealing with the COVID-19 crisis.
The unique identifier and the biometric ID: two sides of the same coin?
Many in Tunisia have asked how the unique identifier program compares to a project that was dropped in 2018, which would have introduced a new national biometric ID card. The biometric ID proposal would have stored vast amounts of data in a centralized database operated by a private company and raised many concerns around both privacy and security. After civil society won many privacy-protecting amendments to the bill in Parliament, the Ministry of Interior ultimately withdrew the project from consideration.
Though there is still much we don’t know about the unique identifier proposal, there are already some significant improvements:
- Eliminating the need to collect, store, and process biometric data — which is particularly sensitive, and can never be changed in the case of a breach — is an important step in the right direction.
- Based on the proposal as it stands, it appears to be a more limited registry of core data that certain government actors will be able to access, rather than a fully centralized database of information collected across agencies.
- The Data Protection Authority has been given a clear role in developing and evaluating the proposal.
- The proposal responds to specific concerns civil society raised during debate of the biometric ID. For example, Article 7 states that citizens must be able to get information about who has used their unique identifier and what actions were carried out.
However, it is too soon to tell whether this is a good or potentially very dangerous initiative. Many details about the program’s design and implementation have not yet been defined and are set to be clarified under consultation with the INPDP.
INPDP President Chawki Gaddess has said “the authority, a partner of the unique identifier project, will work on enforcing this legislation and will stand up against any deviation or breach of personal data and publicly denounce them,” but consultation with civil society will be essential to developing a rights-respecting framework as the government fills in the gaps.
And finally, just as we had to seriously question the value of the biometric ID initiative — especially considering its cost and the government’s failure to leverage existing tools, like the barcode already on ID cards — the government still needs to clearly demonstrate what needs the unique identifier program will meet and why it is the best approach for doing so. That is the fundamental question the global #WhyID campaign presents to any government looking to implement a digital identity framework.