Technology: Digital IDs for all

This article first appeared in Enterprise, The Edge Malaysia Weekly, on June 10, 2019 - June 16, 2019.

Things become interesting when we consider what you want to do with [your IC]. I think the first thing people need to be able to do is use their IC to interact with online services and cyberspace. > Malcolm

-A +A

The conversation on national digital IDs is not new. Governments around the world have expressed both interest and concern, in roughly equal amounts, about adopting these in their countries.

However, citizens of more developed countries such as Australia, Canada, New Zealand, the UK and the US are opposed to the idea of biometric-based national ID schemes, mainly on the grounds of privacy.

The UK government introduced the GOV.UK Verify scheme in 2016 as a way for people to prove their identity for online government services, targeting 25 million users by 2020. As at March, it had only managed to acquire 3.6 million users.

Singapore has already created a digital ID programme, with the SingPass Mobile app taking effect in the middle of last year. Malaysia and the Philippines have expressed interest in developing such a programme.

But are we ready for it?

HID Global thinks so. Allan Malcolm, its regional director for citizen ID solutions for Asia-Pacific, says Malaysia is a good candidate to develop a national digital ID programme because it has a national registration programme and an established smartcard ID, the MyKad.

“This means the transition to a digital ID will be a more straightforward process. If you had to go through the process of enrolling an entire population, that would be a lot of work and it would probably also require quite a bit of change in mindset for you to be able to do that,” says Malcolm.

He points out that even though other countries in the region have announced they will develop a national ID programme, the governments will need to go through a massive enrolment initiative nationwide, which will get increasingly difficult when heading into rural areas. The process will be time consuming and expensive in countries with large populations.

“Malaysia has gone through most of that hard work and has a well-established national registration database and a mechanism for producing an identity card (IC) number that is granted to you at birth. That vastly simplifies the process,” says Malcolm.

Another advantage Malaysia has is that people are already comfortable carrying around their ICs as part of their daily lives, he says. “It has been around for many generations and Malaysians have had an IC for historical reasons. But it is part of the culture too. So, I think people will look at enhancing those services and understand what it can do for them.”


What Will Digital IDs Offer?

Today, when technology has become an integral part of most of our lives, convenience and reduced interaction with any government agency is an attractive idea. “Changing your address should not take two hours in a government office. And I am sure they would rather you did not either because it is hard work for everyone,” says Malcolm.

A national digital ID will enable this convenience because it will be a digitally secured credential stored on your smartphone, in addition to a physical card, he adds. “What platform it is stored on is somewhat irrelevant, but not entirely. One can have a highly secure cryptographic microprocessor in a smartcard and secure a digital credential in it or a smartphone.

“From a technical perspective, these two things can be almost identical. The advantage of having identity information on a phone is that there are other features attached to it, which makes it extremely useful because it allows connectivity with the outside world, whereas a card does not.”

Malcolm believes that ultimately, digital IDs will end up being stored on phones. But the first thing that needs to increase is the functionality of the ID credentials. The MyKad currently stores information on a contact chip and while it was a great innovation 15 years ago, it needs to be made more relevant.

“Things become interesting when we consider what you want to do with [your IC]. I think the first thing people need to be able to do is use their IC to interact with online services and cyberspace,” he says.

“With your IC as it stands right now, you can use it at most government agencies. But you cannot use it to digitally sign a document online using a standardised digital signature.”

Instead of going all the way to a government agency with your IC to verify that it is you carrying out the process, you can just place your IC on a smartcard reader or provide a digital signature from your IC to sign a document. “This will be extremely useful when you are doing your tax returns, for example, or when you want to sign a legal document,” says Malcolm.

The process would look something like this: a citizen puts his IC on a smartcard reader built into his laptop, then does a facial verification using the camera on the laptop to prove he is physically there. “If we develop this, then [the transaction] will be secure for me as the consumer and for the other side as the recipient of documents,” he says.

As the MyKad was developed when smartphones and international standards had not been created yet, it should be upgraded to be relevant today. ISO standards have been developed around how one manages and administers national, smart and digital identities and this is one of the things the MyKad should adopt, says Malcolm.

From a data perspective, you can put your credentials on the MyKad. But you still need to have a laptop with a camera and a smartcard reader to use the credentials, whereas all these features are available on a smartphone.

“This is when things become interesting in terms of where you take it on mobile. I would not need a card anymore and I would have the same security on my phone if I encrypt and secure the credentials on the phone, using software that allows me to unlock and validate with my own biometric fingerprint or facial recognition. Then, I can use it to send data from [my phone],” says Malcolm.

“In banking, you are sent a one-time password. But take that a step further. If I am on a laptop here and I want to sign a digital document, the number comes to your phone and you are asked, ‘Do you want to digitally sign this document with your device?’ You click yes, put your fingerprint and we are done.”

Although almost everyone has a smartphone nowadays, a national digital ID will not make the physical card redundant because there will be those who would be happy to have just the physical MyKad, he says. However, in the long run, they will be constrained by what they can do with it.

Malcolm believes that people will eventually use their national digital IDs for transactions, just like how toll highways went from using a cash-based system to using the Touch ‘n Go card and SmartTAG.

“You can still pay cash nowadays, but you will need to be in a long queue. So, you have been driven away from using cash and encouraged to use the Touch ‘n Go card and SmartTAG. The same kind of thing will occur with national digital IDs,” he says.

“The physical IC may remain the legal anchor document in Malaysia. But with the mechanism in place, you will have more functions and services available on your mobile phone. However, [the card] is still legal.”

The cost of infrastructure will go down if national digital IDs are implemented because the government will not need to fork out more funding to provide software and hardware to read credentials, says Malcolm. “The ability to validate your identity using your phone means that the government does not need to provide the hardware because we buy and pay for our own phones. All it needs to do is manage the back-end for it to be supported on a phone, and a lot of the infrastructure is already in place.”

Legal frameworks have to change too. In Malaysia, the MyKad is a legal document and a form of identification for Malaysians. Credentials stored on a phone may not be recognised legally as identification and there may be other requirements and legislation changes needed to certify that the credentials on the phone are valid too, says Malcolm.

“Some may say they accept digital signatures for online behaviour and so on. But the card is still a legal physical document and at some point, where there is a critical legal decision, you are expected to bring the card in person,” he adds.

The natural custodian for the national digital ID programme will be the National Registration Department (NRD) since it holds the records of every citizen in the country, says Malcolm. For the programme to work, there needs to be inter-agency cooperation because the system will only be useful when every department uses the same base data.

“If everyone has their own credentials, why bother? We do not want to have 10 different apps on our phone for 10 different things that we currently do,” he adds.


Security Concerns

Trust and cybersecurity issues will be on the minds of most users when considering the impact of a national digital ID programme. This is where companies such as HID Global come in, says Malcolm, because it has expertise in ensuring data protection and integrity.

He adds that with the development and implementation of international standards, data integrity and privacy are managed and ensured. As the rightful custodian of national digital IDs, the NRD will be responsible for data integrity, validity and accuracy.

HID Global’s job is to ensure that data will not be shared without the holders’ permission. That is the job of the technology that surrounds the ID, says Malcolm.

“For example, our technology does not require a government database to be online. So, when I issue a credential to your card or device, it is stored securely [on the phone]. If somebody is able to disassemble that information and in some way decode what was there, they will have access to one IC and all their months of work will give them information to attack only one particular thing, not the entire database.

“Now, the integrity and protection of that data is the responsibility of the government department. But that has always been the case. We would not be adding anything new and we are not increasing anybody’s risk.”

What tech companies need to make sure of is that someone does not retrieve information from a phone and read it without the owner’s knowledge because that will be a breach of data privacy, says Malcolm.

“When we are talking about HID-specific technology, we have the mechanism to manage both ends. So, without the relevant keys stored on your phone, I cannot read any information from you.”

The way it should work is that the NRD issues a citizen a secure credential on a mobile application that has his MyKad credentials as well as all relevant data such as his fingerprint, photograph, date of birth, address and so on. If the Road Transport Department (RTD) wants to issue a driver’s licence, it should be able to just add the credential to the existing framework. But it cannot change any of the information.

“So, the RTD could add and revoke driving authority without interfering with the MyKad information. It becomes interesting at the reading component. Let’s say a policeman stops you by the side of the road. He is entitled to read everything, along with your driving credentials. But if an RTD officer stops you, all he can access are your name, photograph and driver’s licence information.”

One of the biggest challenges for companies such as HID Global is finding the right people to talk to and work with in government departments to help implement a national digital ID programme. Malcolm says it is important for the company to communicate with the right people so that both sides understand what is going on.

“It is challenging, through no fault of [the government], because it is difficult to find digital ID and crypto specialists in government departments as this is not normally a skill requirement. There are a lot of vocational experts and those who understand real implementation challenges, but they may be not be familiar with the underlying technologies,” he adds.


Beyond Government Agencies

Once the right infrastructure is in place, the next step would be to get other sectors to add on credentials to the national digital ID, says Malcolm.

A sector that would greatly benefit is healthcare. Those who have healthcare entitlements can have their information put on the digital IDs. So, instead of having the hospital check on what a patient is entitled to, they can access it immediately.

“Infrastructure is very important and if we are talking about the bigger picture, governments can start talking to private insurance companies and allow them to put an insurance entitlement on the ID. So, if you are admitted to hospital, you do not have to check entitlements with your insurance agent before checking into the hospital. This also reduces stress during an emergency,” says Malcolm.

Another sector that could benefit from a national digital ID programme is banking, especially with the emphasis on know-your-customer validation and anti-money laundering regulations, he says. With national digital IDs, banks can add a secure method of validation to ensure the identity of the account holder.

In the education sector, the ID can ensure that the right person is sitting for an examination instead of an impostor. “Right now, I think everyone is standing on the edge of the pool and waiting for the first one to jump in and when someone does, everyone will get on the bandwagon because the benefits are just so far out. But everyone is scared of taking that first step.”