Nigeria: There can be no digital identity (ID) without digital security

Babatunde Okunoye
23 Jul 2021

RIA is working with 10 African partners evaluating the rollout of digital ID systems in their respective countries under the auspices of our BIO-ID project. Our country partners are summarising their findings in blogs, and in this installation, Babatunde Okunoye from Nigeria, fellow at the Berkman Klein Centre for Internet and Society at Harvard University, argues that digitising citizens’ data increases the risk of cybersecurity breaches.

Many governments across Africa have begun implementing digital identity schemes in line with UN’s Sustainable Development Goal 16.9, which aims to ‘’provide legal identity for all, including free birth registrations’’ by 2030. More than 40% of those lacking IDs live in Africa. This bars them from fully participating in national life in civic duties such as voting; and also from accessing services such as banking and government social transfers. The numerous government-sponsored digital identity programs in Africa, such as Nigeria’s, attempt to solve these problems and provide routes to inclusion in national life for millions of people.

But many of these programs have been implemented without adequate consideration for digital security and privacy. Digitising citizens’ data, which make up digital identity and storing them in centralized databases (as with the case of Nigeria and many other African countries), increases the risk of cybersecurity breaches of digital identity databases. The planned linking of the foundational digital identity number of citizens with all other functional identities such as driver’s license, health insurance, voter’s registration and bank verification number in countries such as Nigeria only increases the value of the foundational digital identity, increasing the risk of cybersecurity breaches. In the event of a cybersecurity breach, data stolen in this context can be used to authenticate transactions, or used in phishing attacks. In more brazen exploits, ransomware attacks can be implemented to hijack data to be released only after the payment of fees.

Cybersecurity breaches are now regular occurrences in our world. In May this year, following a pattern of significant global cyberattacks in the past five years, hackers breached the computer network of Colonial Pipeline, which runs the major petroleum supplying the east coast of the United States (US). Using ransomware to cut off the customer data of the utility, which prevented Colonial from correctly billing its customers, they demanded a significant ransom that was allegedly paid. More pertinently however, hackers have developed a liking for government databases. In 2015, hackers breached the Office of Personnel Management (OPM), the human resources department of the US federal government. Personal data of up to 21.5 milliongovernment employees, contractors and their families and friends was compromised. Similarly in the US in 2015, a database of 191 million voters was exposed. This breach exposed the personal information including names, dates of birth, party affiliations, emails, addresses, and more – of voters in all of the US. The aftermath of such large data breaches usually includes years of footing the bill for identity theft and credit monitoring for the victims. In Africa, we cannot afford that bill.

Although some digital identity projects such as Nigeria’s report global certifications, the Global Cybersecurity Capacity Center(GCSCC) reports a cybersecurity maturity model for Nigeria that is largely formative in most of its maturity estimates. This suggests a stage of national cybersecurity maturity where capacity has begun to grow and be formulated, but may be ad hoc, disorganised, poorly defined or simply new. This formative status might be reflected in some flawed implementations of the digital identity scheme – such as mobile phone USSD code, which permitted anyone with the surname and date of birth of a Nigerian to access their National Identity Number (NIN) from a mobile phone. This security lapse was only rectified following litigation by civil society. Similarly, many Nigerians reported problems with an earlier version of Nigeria’s digital identity mobile app – which brought up data on other people rather than the real owners of the digital identity.

Potential cybersecurity breaches of digital identity databases are not limited to the institutions that manage these identities. Citizens and residents who use digital identities are sometimes not aware of the cybersecurity risks associated with the identity, which can include identity theft and phishing attacks. The GCSCC Maturity Model for Nigeria estimates the country’s level of national cybersecurity education as established. (This means that the indicators of this      aspect dealing with cybersecurity and knowledge capabilities are in place, and functioning. However, there is no well thought out consideration of the relative allocation of resources.) Earlier this year, following the directive from government that all NINs be linked to phone numbers in Nigeria, several fake websites and apps appeared on the Internet offering this linkage as a service in exchange for sensitive personal information. In reality, they were created by hackers to steal sensitive information for use in cyberattacks. 

Some of the most brazen cybersecurity breaches of government databases (some explored above) have occurred in countries thatare world leaders in cybersecurity. For example, it is reported that the US’ OPM repels 10 million attempted digital intrusions per month. As national identity schemes in Africa mature and become more integrated with public and private services, as envisaged, it will be a matter of when, not if they are targets of cyberattacks. As shown in Nigeria’s EndSars protests of October 2020, governments’ digital assets will come under attack in conflicts with other actors. 

For data as sensitive as digital identity for millions of citizens, a cyber exploit would cause unimaginable damage, disrupting the lives of millions of people and paralyzing key government services. Digital identity for all in Africa can only be realized within the context of a sound cybersecurity framework and active practices such as ensuring that the cybersecurity procurement mechanisms meet international cyber security (open) standards, regular staff re-training and cybersecurity penetration testing. It is imperative that considering the rapid implementation of Digital Identity programs across Africa, more investment is made to ensure the digital security of data entrusted to government.

Dig Deeper

Poor and marginalised people make up the largest percentage of people without official identity. Due to existing digital and structural inequalities these groups are at risk of further discrimination and socio-economic exclusion depending on how Digital ID systems are developed. If not carefully evaluated, the digitalisation of ID systems may also subject citizens to state surveillance. As a result, there is a growing and urgent need to examine the impact of Digital ID systems on human rights in Africa and use these findings to develop evaluation frameworks that ensure compliance with international rights and data protection norms. To support this need Research ICT Africa’s BIO–ID project deploys a legal Evaluation Framework for Digital Identities developed by the Centre for Internet and Society (CIS). This framework was previously used to evaluate the Indian government’s mandatory biometric ID project that was found to have violated citizens’ human rights by denying them access to essential services and benefits. The African evaluation project brings together partners from 10 African countries, including Ghana, Kenya, Lesotho, Mozambique, Nigeria, Rwanda, South Africa, Uganda, Tanzania and Zimbabwe.

In addition to the blogs being produced by our country partners to introduce you to the issues that they’re uncovering in this important new research area, RIA’s Kristophina Shilongo is interviewing partners to delve deeper into the socio-economic challenges ushered in by the rollout of digital ID systems in Africa. Read her interview with Babatunde Okunoye of Nigeria below.

Digital IDs should enable greater government efficiency in national planning

In the fourth of the series of interviews with our partners participating in RIA’s BIO-ID projectKristophina Shilongo interviews, Babatunde Okunoye from Nigeria, fellow at the Berkman Klein Centre for Internet and Society at Harvard University, about the implementation of digital IDs in his country. Okunoye one hopes that the new digitised system will facilitate better national planning by his government.

KS: We’ve seen a lot of interest in digital ID on the continent from a diversity of donor agencies, financial institutions, and governments. Why do you think this is the case?

BO: The deep interest we see in digital ID in Africa stems from the realization that according to a World Bank estimate, more than 40 percent of those lacking IDs in the world live in Africa. So, in Africa the need is huge. Also, there is the renewed awareness of the extent of the exclusion the lack of IDs cause for individuals. In many countries in Africa, without an ID one cannot open a bank account, register to vote, or access government social transfers for instance. These three examples – and there are more, signal the deep marginalization from fully participating in society the lack of IDs precipitate. The United Nations Sustainable Development Goal 16.9 aims to ‘’by 2030 provide legal identity for all including free birth registrations’’. 

Moreover, governments across Africa have identified the critical need to implement digital identity schemes to cut costs and eliminate inefficiencies in payroll management. For example, the Nigerian government implemented a digital identity scheme in the management of its civil service payroll. This enabled the government to reduce multiple payments for staff who sought to game the system.  

KS. If policymakers in Nigeria can take away one lesson from your case study, what do you hope it will be? 

BO: One lesson I hope gains traction is the need to pay attention to the human rights issues that arise from the implementation of digital ID systems. Perhaps the most important is privacy. Data intensive systems like national identity databases should not come before the enactment of data privacy laws and the presence of national data protection commissioners. The cart should not come before the horse – otherwise the door is opened for all sorts of data abuses and violations the type we’ve typically seen over the years.

Nigeria does not have a data protection law, although a data protection bill is before the National Assembly. Ordinarily, the presence of a data protection law ought to proceed, not follow the implementation of a national digital identity program. Nigeria does have the Nigeria Data Protection Regulation 2019, put forward by the National Information Technology Development Agency (NITDA). However, industry experts have taken the position that a regulation by a government agency cannot take the place of a substantive legislation enacted by the National Assembly.

KS: What research still needs to be done to support the future development of digital IDs that support, not hinder, socio-digital equality on the continent?

BO: Several important research questions still need to be answered. Among them are the barriers faced by women, the disabled and marginalized (for example border or immigrant) communities in accessing IDs; and interrogating the cybersecurity integrity of digital identity systems on the continent.

These are important questions particularly for the Nigerian context. For example, in Northeast Nigeria where aninsurgency has raged on for many years, many citizens have been denied the chance of enrolment in the digital identity program, many of them being internally displaced persons. Within the context of the Northeast also, many of these individuals live in border communities with neighbouring Chad, Cameroon and Niger Republic.

KS: What are your biggest hopes for the future of digital ID’s in (your case country)?

BO: My biggest hope for the future of digital IDs in my country is that the implementation of the programme would enable greater government efficiency in national planning. Particularly because the digital identity is expected to be linked with other functional identities such as Bank verification numbers and pension numbers. Much the same way the government has been able to cut down on waste in its payroll, I hope having such a large database will enable more efficient coordination and planning between government departments and the private sector, in this age of BigData. Ultimately, I hope this will improve the effectiveness of government services. 

KS: What are your biggest fears for the future of digital ID’s in (your case country)?

Nigeria has recently commenced the process for all mobile device users to have their IMEI numbers captured in a government database – a move many have interpreted as intrusive, especially following an earlier directive for all Nigerians to have their mobile SIM cards linked with their National Identity Numbers. My biggest fears for the future of digital IDs in my country is the possibility that it could be used to enhance the surveillance powers of the government targeted at the opposition or government critics.