Implement Stronger Safeguards for NIDS Authentication and Verification Logs

Prevent use of NIDS data for social profiling and surveillance through stronger restrictions on how authentication logs can be used.

Enrollment and use of the NIDS card results in a record of an individual’s pattern of life (what, when and how frequently they access services). Without stronger safeguards to protect this data, NIDS could expose Jamaicans to unprecedented risks of social profiling, digital surveillance, and prejudice. The NIDS bill must implement stronger safeguards.

What This Could Look Like in Real Life

01. Andrew's Mistaken Identity
02. NIDS, Election and Misfortune

It is 2030. While NIDS is used by many Jamaicans to access day-to-day service, the management of transaction log data has not been clearly addressed. Multiple public and private entities request and use this data.

The police are mining the transaction records looking for individuals that match a specific pattern of behavior in target communities. Based on Andrew’s behaviour patterns he and several other individuals get flagged as candidates for additional surveillance.

The police request, under Section 24 of the Bill, that the identity information of the individuals who match the target behavioral pattern be disclosed to them. Andrew is called in for questioning and upon further investigation, it turns out that he visits the community to care for an ailing grandmother.

An upcoming election is expected to be close. Individuals between the age of 30-45 in specific communities are estimated to play a critical role in determining the election’s outcome.

The current government requests from the NIRA transaction logs for all individuals between the age of 30-45 to better understand the services most frequented by this demographic across multiple constituencies. The Government’s rationale for the request is to “improve public services”.

The Government uses this information to build a targeted digital and offline strategy and messaging campaign that shapes public perception of the opposition candidates. They use the information to shape the promises they make if re-elected.

Details

The Government intends for NIDS to be used by enrolled individuals to access both in-person and online services such as opening a Bank account, visiting the doctor or clinic, receipt of PATH benefits, etc.

When a card is used, individuals and businesses will be able to verify the identity of the individual presenting the card with the NIRA.
When the NIRA receives these requests, the Bill requires it to create a record of the “authentication or verification request in a database. As more businesses and individuals use this system to verify the identity of an enrolled individual, a pattern of life is created on that person.

This pattern of life includes what services they access, when they access them, and how frequently. With the broad adoption of NIDS, this database will approach a near real-time log of that individuals’ behaviours.

Currently, the NIRA Bill is silent on how these records will be used or protected. For example, it does not regulate what data these records will capture, how the data will be stored, or how it will be used and shared by the authority. The misuse of behavioural data by companies such as Facebook and Cambridge Analytica provide relevant examples.

If these authentication logs were misused, the Jamaican public could face unprecedented risks of social profiling, digital surveillance, and algorithmic prejudice. The Bill as drafted does not recognize the importance or risks to enrolled individuals for collecting this data.

We believe the Bill must add safeguards to protect enrolled individuals and place clear limitations on how the authentication logs can be used.

Recommendations

Establish in the law that the only lawful use for the authentication and verification services logs is to provide an enrolled individual with access to their own information. No other form of processing should be legally permitted, and no other function pursued.
Introduce provisions that require the Authority to implement similarly strong privacy and security protections required for authentication and verification logs as those prescribed for “identity information”. For example, currently the law only requires encryption of “identity information”.
Explicitly forbid the Authority from aggregate and/or anonymous processing of the authentication and verification records/logs.
Explicitly prohibit the Authority or any other entity from taking any action whose effect could enable the use of the authentication and verification services under NIDS (including its records/logs) to create profiles of persons or monitor/track their activities.
Amend Section 25 to include language that affirms that the authentication and verification records/logs are the personal data of that enrolled individual.
Expand the definition of verification to include both types of verification activities that the Authority performs under Sections 12 and 25 and clarify what forms verification under Section 25 may take.
Amend Section 25(4) to give the individual, rather than the authority, control over the period for which records/logs of authentication and verification are kept.

Status: Pending

Watch this space! We will provide an update once the Joint Select Committee has made a decision on this issue.

Last updated 2021-05-27

Talk Up!

If this issue matters to you, talk about it. Share this page (and your questions or suggestions) with friends or government representatives.

Comments, Questions?

Is there something we overlooked with this issue?
Have questions? Let us know!