2018-10-21

This is an article on my opinion concerning the plan for digital IDs for Malaysians. It was not published.

Bringing back the idea

Since Minister Gobind brought back the idea of a digital ID for Malaysians, we are seeing a healthy debate going on concerning the feasibility or even the need for a national digital ID. I would like to also contribute to this debate.

I am who I say I am

The internet was originally designed to be "stateless", which basically means it has no memory. This means that if you visit a website and come back 3 seconds later, the website will treat you like a totally new person on your subsequent visits.

This is obviously an issue when you need to get things done. You won't have shopping carts, Instagram timelines, or friends on Facebook because the internet cannot differentiate between you and your grandmother.

Along the way, innovative ways were invented to work around this limitation, such as "cookies" and sessions, which have evolved to produce the user registration, username, and password combination that we so much love today.

One problem with this method is that no one is vouching for you: You come up saying "this is who I am, and I'm vouching for myself that this is true". For Facebook or Instagram, where the most complex everyday use case is sharing pictures of cats or your rented Chanel handbags, this is all fine. But if you need to do anything more that comes with responsibilities and social consequences, like registering your newborn child, renewing your business license, or making a loan application, someone needs to make sure that you are who you say you are.

This should be the main and only purpose a national ID program should perform: verifying that you are who you say you are, or in other words, creating a "platform of trust", as termed by Minister Gobind.

I don't trust you, but I trust that person who you trust

By design and nature of the internet, I cannot trust you, but the funny thing is, I will trust something that you also trust. This "something" naturally falls to some central authority like a government, because they are the issuer of identities.

It is interesting to note that this concept is not new: we are already using it in the HTTPS/TLS scheme (the padlock that you see in your browser's address bar, which ensures you're accessing a secure site).

Private entities, such as banks, are also able to connect to this central system. Using a state-issued ID card, you can access the myriad of private services that connect to the state and verify that you are who you are. Once they know who you are, you are then authorized to carry out actions based on the services you're currently accessing, such as making money transfers from your bank account or renewing your driving license.

A platform of trust, based on officially sanctioned national ID, to directly verify identity is more meaningful than indirect methods, such as sending SMS to mobile numbers, which prove possession rather than identity.

At the same time, the central authority should not (or must not) have access to whatever you're doing online once you've passed the verification phase. What you do, once you've been verified, will only be between you and the services you're utilizing.

A paper photocopied IC is not "verification"

The current way of doing things, as practiced by the majority of Malaysians regarding identity verification, is broken at best. We take our physical ID and make physical paper copies of it to sign up for services from opening bank accounts to subscribing to mobile plans. This is far from secure nor is it an effective form of identity verification and can be easily abused. We have read of many cases where someone else has signed up for something, which the real owner of that identity does not know about and instead is paying for.

An online platform of trust will help us reduce the likelihood of abuse by taking away the physical aspect of identity verification, which will also lead to a more efficient workflow since data can be processed much more easily than physical records.

However, but having said that, we also must understand and appreciate this: No technology is perfect.

It's Not If, But When

The fear that a central authority can be hacked is justified, and it is a risk that needs to be mitigated.

In the technology context, we mitigate this risk by increasing the hurdles before any hacked data is made usable, and minimizing the damage when (and not if) there is a data breach.

We do this by ensuring that hacked data is unusable without a second factor, such as an encrypted physical ID, which is not connected in any way to the central system. Those physical IDs can also be locked by passwords, which are stored on the ID itself and supposedly known only to the ID holder.

This means that if an aspiring hacker wants to steal the data of citizens in Malaysia, they need to hack the central system and steal 30 million ID cards, as well as figure out the password to access that physical device. At the same time, third-parties like banks which access the central system to verify identity will not have the identity verification information on them, which means if the banks are hacked, the hacker will know how much money an account has but will not know who that account belongs to.

Estonia's E-Residency Programme

I am enrolled in the Estonian E-Residency programme, where the state vouches for you and issues a state-sanctioned ID card which you can use to connect to state services online. The ID card does not have my picture on it, and is not valid as a self-identification document in the physical world. Estonia's E-Residency system employs the same scheme for personal verification and authentication I have explained above. It is also used by her 1.3 million citizens to access government services, other than e-residents (which can access the same services too!).

Thousands of kilometers away, day or night, in my living room or at my favorite local café, I can sign agreements, check the status of my applications, and operate my business without having to wait in line or get stuck in traffic because all the different moving parts that I need to interact with know with a very high probability and confidence that I am who I say I am.

Well, I know 1.3 million people versus Malaysia's 30 million people is a huge difference, but that's the beauty of technology - you can scale it.

So...

Do we need this? I truly believe so. In fact, I believe it is inevitable. The technology is already there; it's open and we have no need to invent anything new. The actual example of implementing it statewide is also there (Estonia), as well as any leanings or know-how. It has been done and it has been proven.

The right to be connected online is now starting to be accepted as a universal human right. Coupled with the constant business need to get better efficiency and savings, being able to do work and business online will become increasingly necessary.

Allowing us to do business and deal with bureaucracy online will free up a tremendous amount of time that we can use to enrich ourselves in many other ways. This is, in the end, what technology is supposed to be about: empowering human beings by allowing us to regain our most valuable resource – time.

The more relevant and important question is, when? Obviously, as a country with limited resources, there is the question of prioritization. I will leave that question as a homework assignment to be answered by our elected representatives.

But before we embark on this project, an important issue we must address, as pointed out by Ms. Erna Mahyuni in her piece, is that Malaysia does not have a good track record of enforcing privacy laws, and to top it off, there is a very low understanding of privacy and privacy rights. This is a larger issue which should be addressed, regardless of having a national digital ID or not, as it affects us all, right here, right now.

However, I believe the creation of a national digital ID as a basis for a platform of trust to empower citizens of Malaysia is inevitable in order to remain relevant and competitive.

Directory: 2018 Tagged: current affairs malaysia estonia tech