This is an article on my opinion concerning the plan for digital IDs for Malaysians. It was not published

Bringing back the idea

Since Minister Gobind brought back the idea of a digital ID for Malaysians, we are seeing a healthy debate going on concerning the feasibility or even the need of a national digital ID. I would like to also contribute to this debate.

I am who I say I am

The internet was originally designed in such a way that it's "stateless", which basically means it has no memory. This means that if you visit a website and come again 3 seconds later that website will treat you like a totally new person on your second and subsequent visits.

This is obviously an issue when you need to get things done: You won't have shopping carts, Instagram timelines, or friends on Facebook because the internet can't differentiate between you and your grandmother.

Along the way innovative ways was invented to workaround this limitation, such as "cookies" and sessions, which has evolved to produce the user registration, username and password combination that we so much love today.

One problem with this method is that no one is vouching for you: You come up saying "this is who I am, and I'm vouching for myself that this is true". For Facebook or Instagram where the most complex every day use case is sharing pictures of cats or your rented Chanel handbags, this is all fine, but if you need to do anything more that comes with responsibilities and social consequences like registering your new born child, renewing your business license or making a loan application, someone needs to make sure that you are who you say you are.

This should be the MAIN and ONLY purpose a national ID program should perform: Verifying that you are who you say you are or in other words, creating a "platform of trust" as termed by Minister Gobind.

I don't trust you, but I trust that person that you trust

By design and nature of the internet I cannot trust you, but the funny thing is I will trust something that you also trust. This "something" naturally will fall to some central authority like the government, because they are the issuer of identities.

It is interesting to note that this concept is not new: We are already using it in the HTTPS/TLS scheme (the padlock that you see in your browser address bar to make sure you're accessing a secure site)

Private entities like banks are also able to connect to this central system. Using the state-issued ID card, you can access the myriad of private services that connects to the state and can verify that you are who you are. Once they know who you are, you are then authorized to carry out actions based on the services that you're currently accessing, like making money transfers from your bank account, or renewing your driving license.

A platform of trust based on officially sanctioned national-ID to directly verify identity is more meaningful than indirect methods such as sending SMS to mobile numbers that proves possession than identity.

At the same time, the central authority should not (or MUST not) have access to whatever you're doing online once you're passed the verification phase. What you do, once you're verified, will only be between you and the services you're utilizing.

A paper photostated IC is not "verification"

The current way of doing things by the majority of Malaysians in regards of identity verification is broken to say the best. We take our physical ID and make physical paper copies of it to sign-up for services from opening bank accounts to subscribing to mobile plans. This is far from secure nor it is an effective form of identity verification and can be easily abused. We have read of many cases where someone else have signed up for something which the real owner of that identity doesn't know of and instead is paying for.

An online platform of trust will help us reduce the likelihood of abuse by taking away the physical aspect of the identity verification, which will also lead to a more efficient workflow since data can be processed much more easily than physical record.

But having said that, we also must understand and appreciate this: No technology is perfect.

It's not if but WHEN

The fear that a central authority being hacked is justified and it is a risk which needs to be mitigated.

In the technology context, we mitigate this risk by increasing the hurdles before any hacked data is made usable, and minimize the damage WHEN (and not if) there is data breach.

We do this by ensuring that the hacked data is unusable without a second factor, such as an encrypted physical ID which is not connected in any way to the central system. Those physical ID can also be locked by passwords which are stored on the ID itself, and supposedly known only to the ID holder.

This means that if an aspiring hacker wants to steal the data of the citizens of Malaysia, they need to hack the central system, and steal 30 million ID cards AND also figure out the password to access that physical device. At the same time, third-parties like banks which access the central system to verify identity will not have the identity verification information on them, which means if the banks are hacked, the hacker will know how much money an account has but will not know who that account belongs to.

Estonia's E-Residency programme

I am enrolled in the Estonian E-Residency program, where the state vouches for you and issues a state sanctioned ID card which you can use to connect to state services online. The ID card does not have my picture on it, and is not valid as a self-identification document in the physical world. Estonia's E-Residency system employs the same scheme for personal verification and authentication I have explained above. It is also used by her 1.3 million citizens to access government services, other than e-residents (which can access the same services too!).

Thousands of kilometers away, day or night, in my living room or in my favorite local cafe, I can sign agreements, check the status of my applications and operate my business and get on with my life without having to wait in line or getting stuck in traffic because all the different moving parts that I need to interact with know with a very high probability and confidence that I am who I say I am.

Well, I know 1.3 million people versus Malaysia's 30 million people is a huge difference, but that is the beauty of technology: You can scale it.

So..

Do we need this? I truly believe so. In fact, I believe it is inevitable. The technology is already there, it is open and we have no need to invent anything new. The actual example of implementing it state wide is also there (Estonia) as well as any leanings or know-how. It has been done and it has been proven.

The right to be connected online is now starting to be accepted as a universal human right. Coupled with the constant business needs to get better efficency and savings, being able to do work and business online will become more and more of a necessity.

Allowing us to do business and deal with bureaucracy online will free up tremendous amount of time that we can use to enrich ourselves in many other ways. This is in the end what technology is supposed to be about: Empowering us human beings by allowing us to regain back our most valuable resource: time.

The more relevant and important question is when?

Obviously as a country of limited resources there is the question of prioritization. I will leave that question as a homework to be answered by our elected representatives.

But before go forth, an important issue we must address before we embark on this project, as pointed out by Ms. Erna Mahyuni in her piece, is that Malaysia does not have a good track record of enforcing privacy laws, and top top that off a very low understanding of privacy and privacy rights. This is a larger issue which should be addressed, regardless of having a national digital ID or not, as it is effecting us all, right here, right now.

But I believe the creation of a national digital ID as a base for a platform of trust to empower citizens of Malaysia is inevitable in order to continue to being relevant and competitive.


Comments

comments powered by Disqus