March 12 2024, Asia Meetup

The Asia Regional Meetups are bimonthly text-based gatherings that bring together folks from the Asian region to share, connect, seek help, and release stress by celebrating each other. In addition, it is a time for us to find ways to support each other, and help us understand what is happening in our part of the world. If you cannot attend the monthly meetups, we are taking notes of each gathering and linking to them below.

The Asian community is connected during the week in different ways. Either through the Asian channel on the TCU Mattermost or via different events organized on various topics during the year.

Date: Tuesday, March 12 2024

Time: 5:30pm IST/ 6:30pm MMT / 8am EDT / 12pm UTC (What time is it in my city?)

Who: Facilitated by Sapni

Where: Text-based format in the Regional Asia channel on the TCU Mattermost.

• Don't have an account to the IFF Mattermost? you can request one following the directions here.

Agenda

This meetup will be hosting Engage media who will speak about their digital rights work within South and Southeast Asia, and their new report regarding existing systems and regulations on Biometric and Digital Identity.

Notes

First of, we do not see as much attention paid to biometric and Digital id systems, as much as say AI or platform governance. But BIDs continue to create infrastructures for a lot of digital rights violations. What was the motivation behind the study?

Great question! Throughout the region, governments are working on or developing national ID systems for integration and efficiency. However, these systems come with human rights concerns. Given that these IDs aim to streamline access to various services, including healthcare, elections, bank accounts, and civil registration. Our Greater Internet Freedom project then aims to address this critical issue by investigating the regulations, infrastructure, and impact of the implementation relating to Biometric and Digital ID systems.

• True, the region does see an accelerated pace of entrenching digital IDs as well as exporting them!
• that's correct. in SSEA especially, nearly all countries that we've investigated with the exception of Cambodia have adopted some form of Biometric and Digital ID to varying degree of success and efficacy :slightly_smiling_face:

Now that we have a background on the project, tell us more about the report. According to you, what are the three most concerning takeaways that need urgent attention from stakeholders to prevent Biometric and Digital IDs from being used as tools for violation of human rights?

1. Inadequate law for existing Digital ID infrastructure: only three (Indonesia, Philippines, and Sri Lanka) have enacted a stand-alone, unified, data protection legislation. Out of these three countries, two are still in the early stages of implementing and operationalizing their laws. we also receive reports of personal data leaks from some of our focus countries, such as Indonesia and the Philippines, due to negligence or abuse of power.
2. Non-transparent collaboration between state/government and third party actors: we notice that there has been a trend that states often collaborate with third party actors -- private sector or otherwise -- to manage and store personal data of citizens to some degree. a lot of these agreements are done privately, with provisions that are not disclosed to the public, making it non-transparent.
3. Exclusionary practices inherited from traditional ID systems: A lot of the current BDI systems inherit / gather their personal data from traditional ID systems, which are sometimes discriminatory to certain communities. For example, in Indonesia, some religious minorities are not able to get their traditional IDs and therefore are not eligible to apply for a BDI.

How does digital security interact with biometric and digital ID systems in SSEA? Are digital security practices picking up pace as much as the implementation of BDI systems?

We found that many of the Existing BDI system often relies heavily on biometric data of an individual, i.e. Fingerprints, facial structure, iris, palm features and movement styles. All of which are easily read by external devices without being significantly invasive. However, our region often implements BDI systems without proper digital security education to the public which creates some concerns in its implementations.

Given that Biometric information is permanent and cannot be changed, once it is stolen, it can’t be undone. In the event of a breach, these records are no longer a viable method of authentication. Another concern is that unauthorized use of biometric data for purposes like tracking, or surveillance can have severe implications for an individual's privacy. In everyday life, this can manifests in a myriad of things: synthetic fingerprints can be used to replicate prints, breaches at biometric databases pose a threat, and even a 3D printer can hack a fingerprint scanner. Your everyday items and touches might reveal your identity, paving the way for identity theft, compromising information and account security, and enabling criminal activity or impersonation.

On point two, how can improvements in procurement practices of the state or government better address non-transparency and other issues related to it?

One good practice that we're currently looking into is the practice of Open Government Partnerships. We're seeing this in Indonesia, who has pledged to the commitment underlined in the initiative, including to "encourage transparency and participation in Procurement". This commitment will encourage wider participation for the public to participate in procurement, monitor procurement carried out, and use the data to encourage policy improvements in government procurement.

In Indonesia, the OGP secretariat is actually integrated in the Ministry of Ministry of National Development Planning, and regularly involve civil society in the procurement relating to public interest and public services. there is also a complaint / critic portal that civil society can direct. We are working with other CSOs in the region to encourage their governments to join OGP.

That is a very promising development towards transparency!

Are there similar best practices that stakeholders can push for - both in terms of regulatory frameworks as well as policy measures to reduce the risks in biometric and digital ID systems?

1. One best practice that we're observing relating to efforts in reducing discriminatory efforts when it comes to Biometric and Digital ID collection and usage is implemented in Bangladesh and Nepal. Both of these countries implemented alternative means to verify identification other than using BDI in the meantime, and pledge to only shift fully towards BDI once all citizens have obtained access to the BDI system. Regulatory-framework wise:
2. For local government, it is advised to integrate rights-respecting provisions that satisfy the three-part test, and also to create accountability and grievance-redress mechanisms. there should also be mechanisms to protect the data from being abused by unauthorized access and/or misuse.
3. For regional bodies such as ASEAN, they should look into regional standards relating to Data Protection and Biometric Data Management such as EU's GDPR and ISO/IEC 39794 (2020)

Thank you Des, for sharing your incredible work with us!