To advance the United Nations’ Sustainable Development Goals (SDGs), national identity programmes have rapidly been implemented across the world. However, the implementations often overlook critical privacy and cybersecurity considerations, putting citizens’ data at risk.
Nigeria’s national identity project, which is arguably Africa’s largest programme given its population of over 200 million citizens, has been plagued by privacy concerns. Although now resolved, the privacy issues highlight the risks posed by digitising national identity databases.
This is an important finding from my research into the case of the Nigerian national identity database, at the University of Johannesburg in South Africa.
A world of data breaches involving identification documents
On September 22, 2022, Australians woke up to the news of an enormous data breach of Optus, the country’s second largest telecommunications company.
The breach gave hackers access to at least one form of valid identification and personal information of about 1.2 million Optus customers. Furthermore, an additional 900,000 customers had their identification numbers and personal information from expired identification documents stolen.
Although it was confirmed that the hackers only accessed the data of 1.2 million people, the data breach exposed the identification information of 9.8 million Optus customers in total. This staggering figure represents approximately 40% of Australia’s population.
Data breaches of this scale tend to expose the people whose information have been stolen to the threat of identity theft, financial scams and social engineering-based cybersecurity exploitations. To mitigate this, Optus began contacting affected customers to inform them of the breach, particularly warning them to be on alert for fraudsters who might seek to exploit the stolen data including email addresses, date of birth, phone numbers, and driver’s licence numbers.
Also, in response to the data breach, Optus brought in a consulting agency, Deloitte, to lead a review of what happened in order to garner lessons to forestall a repeat. There was also a regulatory response from the Australian authorities, who decided to change existing privacy rules so that consumers such as Optus’ can be better protected after data breaches come to light.
The proposed regulatory reforms involve giving banks access to information they will need to recognise the individuals who have been put at risk because of illegal access to their personal data. Australian authorities also plan to centralise the nation’s identification data, thus limiting the amount of identification data companies are required to hold in order to run their operations. This mitigates the risk of serious breaches such as Optus’.
Privacy flaws in Africa’s largest identity database
While my study was conducted in a context far-removed from Optus’, its significance is often highlighted by the large data breaches that occurred in Australia. Nigeria’s implementation of an Unstructured Supplementary Service Data (USSD) code for its national identity database unwittingly disclosed the National Identity Numbers (NIN) of Nigerian citizens.
Initially, anyone who had the surname and date of birth information of any Nigerian could dial the USSD code *346# on major mobile networks in Nigeria and access the NIN of that individual. For context, these two pieces of information are sometimes readily available public information, which when obtained can be used to access NIN information.
However, the National Identity Management Commission (NIMC), which administers Nigeria’s national identity programme, corrected this flaw by permitting the USSD operation only on the phone numbers linked to the NIN. This progress came only after a lengthy lawsuit by a coalition of civil society organisations championing privacy rights in the country.
The study also highlighted a faulty implementation of Nigeria’s national identity mobile app, which revealed the identity information of strangers when downloaded from the Android or iOS stores by individuals who had enrolled for the NIN. However these have now been corrected, and since that time Nigeria has made progress in the management of privacy around its national identity programme.
The risks of digitisation
These incidents demonstrate that the push towards digitising national identity databases globally comes with risks. Digitising identity documents perhaps improves the capacity of governments to organise the huge trove of data and to utilise them more effectively in the administration of social services. Nevertheless, when done without a thorough consideration of the real threat of data breaches, the consequences could be huge, as Australia recently learnt.
In South Africa, for instance, the Department of Home Affairs (DHA) announced its plans to hire 10,000 young graduates to digitise the nation’s identity documents dating back to 1895. These include more than 350 million records of births, marriages, and deaths, which it plans to store in computers. These plans are part of a broader effort towards digitising the DHA as announced by the government.
While these plans are laudable, it is important that they are backed by a robust privacy and cybersecurity plan. There is a ready market for stolen identity documents. This is fuelling data breaches like those of Optus in September 2022, and the Argentinian national identity database in 2021. It is, therefore, crucial that governments adopt international good practices in the implementation of identity databases such as building in privacy mechanisms like encryption and tokenisation.
Okunoye, B. (2022). Digital identity for development should keep pace with national cybersecurity capacity: Nigeria in Focus. Journal of Cyber Policy, 7(1), 24–37. https://doi.org/10.1080/23738871.2022.2057865