Taiwan’s use of digital resources to deal with the Covid-19 pandemic has received no small amount of attention. It has been praised as instrumental to Taiwan’s Covid-19 response, but the quantity and quality of data the government now has at its disposal has also caused disconcert.
This disconcert has been most evident recently in the public controversy surrounding the planned implementation of electronic national identification cards — eID’s. A recent workshop at the Risk Society and Policy Research Center which brought together startup founders, professionals in the tech industry, and digital privacy advocates, sought to find out how Taiwan can improve the lack of trust in its data collection the eID controversy has exposed.
What we found, in short, is that Taiwanese are not against the government using data for the public good, as many credited it for its role in Taiwan’s pandemic response. Many participants were, however, opposed to the lack of transparency and regulatory oversight over data use.
Here’s a general sense of the problems we identified with Taiwan’s data collection regime, followed by solutions we arrived on.
Plans for “smart government” in Taiwan have proceeded at a snail’s pace
Over the last few years, Taiwan has launched numerous digital strategies, like the“Digital Nation and Innovative Economic Development Program (DIGI+) 2017-2025,” out of which arose the Smart Government Action Plan.
Nearly two years after the Action Plan was approved by the Executive Yuan in January 2019, Taiwanese participants at the workshops pointed out that there is still a lack of regulatory oversight in data use and collection, as well as inter-ministerial digital coordination, particularly relating to the eID included in the Action Plan.
The eID card would integrate information currently stored in National Health Insurance cards and driver’s licenses, as well as have access to data over various government databases. It is unclear. however, how the security of the databases would be protected.
Unsatisfactory assurances
The Ministry of the Interior’s (MOI) reassurances that the eID card will be secure are perplexing. In response to questions on privacy, the MOI said the eID card would only be used as a “proof of identity” instead of a “device to store personal data,” and that it would “contain less personal data than the current version.” This deflection still did not address the crux of the matter: the lack of regulatory oversight.
While the government insists the chips will not be produced in China, legal experts in a working group led by Academia Sinica Information Law Center director Chiou Wen-tsong have pointed out that the plan still lacks oversight in the other technical systems, because the aspects of the eID, including “chip design, operating system development, manufacturing of chip-writing equipment, data application software and other features” are still all outsourced and therefore continue to pose security threats.
A lack of public consultation
In April last year, more than one hundred people, including students, academics, industry professionals, political figures, and non-governmental organizations (NGOs), signed a petition started by the Taiwan Association for Human Rights (TAHR), to call for the government to halt the development of the eID.
Specifically, the petition called on the government to “pass comprehensive privacy protection legislation” similar to Europe’s General Data Protection Regulation (GDPR).
Participants at the workshops suggested the government adopt the GDPR as a standard to provide data oversight in Taiwan. However, Taiwan’s certification for GDPR adequacy is still being negotiated — Taiwan’s lack of an independent data protection agency is a key reason that hinders its participation, Digital Minister Audrey Tang said.
Even legislators from the ruling Democratic Progressive Party (DPP) have said that the government should suspend plans to implement the eID card, and prioritize the establishment of an independent data protection agency, as well as to develop regulations to protect privacy.
An eID necessitates a new governance approach
There is no one agency overseeing data privacy, resulting in “each agency [being] responsible for its own data,” Open Knowledge Taiwan Ambassador T. H. Schee said. This means that businesses do not have a central place to go to check the legality of data use.
However, while Tang said in July 2020 that she would propose the setting up of such an agency at the next legislative session, Schee pointed out that according to government officials, the agency would still be parked under the new digital ministry, which would therefore lack independent oversight.
NGOs have highlighted how other countries like Germany and Estonia “have strict laws regulating what data can be stored on the electronic wafers used in ID cards.”
For example, one participant at RSPRC’s workshops highlighted that under the national data management system created by Estonia, all public databases are regulated by the law. There is however little public knowledge of how Taiwan’s plan for an Estonia-like system, “T-Road,” works, or if it has already been set up.
Strengthening cross-agency cooperation
The government’s lackluster concern for data protection is precisely why participants at RSPRC’s workshops emphasized how the government’s use of personal data should not be exempted from regulatory oversight.
In fact, participants suggested that the government should also be required to provide transparency reports similar to those released by Google and Facebook, and terms of service agreements akin to those adopted by Facebook and Twitter, so that users can be made aware of how their data is being used. While these tools are not perfect, they can function as the foundation for developing stronger oversight mechanisms, aided by the cross-pollination of privacy protection tools between digital companies and the government.
Participants at the workshops proposed the creation of two independent bodies to provide separate oversight over data protection. One would be an agency similar to the National Communications Commission (NCC) to safeguard data protection and transparency, and another one similar to the Consumer Protection Committee (CPC) to investigate complaints and reports of unethical and illegal data use.
In addition, participants pointed to how cross-agency coordination is paramount, the fear being that the disparate data strategies of the various ministries will lead to confusion and create barriers in engaging with the public. As the eID controversy has shown, several agencies such as the MOI and the NDC have been engaged in different aspects of its development.
Participants also pointed out that digitalization strategies should not only involve database creation for the collection of data, but to also understand how the data collected is relevant for public purposes. New domain knowledge is necessary regarding new digitalization, data protection and privacy needs, and the government needs to be cognizant of the fact that it does not have all the answers and allow the public a greater role in formulating policy.
A good example of proposals to arise from the public comes from the Open Culture Foundation, an open source community in Taiwan. They suggested that the eID source code should be made public so that the security of the system can be strengthened via the participation of experts and scholars, and to “prevent [any] single company from monopolizing government bidding projects and hiding backdoors in the eID system.”
Data Regulation Beyond the eID
Participants at RSPRC’s workshop also pointed to how the lack of such regulatory oversight impacts other sectors as well.
For example, the lack of standardization of databases among food companies in Taiwan has resulted in patchy data collection, according to a participant at the workshop with knowledge of the database construction. While there are regulations requiring data to be collected, the type of data that needs to be collected is not specified. There are also no regulations pertaining to how databases should be constructed, leading to companies regularly changing their databases in order to cut costs, or to simply collect data manually using pen and paper.
Nonetheless, participants were aware that there is a need to strike a balance between collecting data for food safety on one hand, while ensuring the data privacy of food companies. Regulations should therefore be customized for business-to-consumer and business-to-business industries, in order to protect trade secrets.
Fortunately, there is a growing awareness that the lack of database integration poses as a loophole in Taiwan’s digital transformation and industrial development strategy. At another NSTC installment last December, Trend Micro Chief Executive Eva Chen highlighted how the lack of data integration within company departments has enabled hackers to infiltrate company databases via disparate systems, thereby creating cybersecurity threats.
The discussions led to proposals including the strengthening of database systems as part of the government’s performance review of companies which apply for government research grants or procurement projects.
The big picture: transparency and citizen engagement
An argument can be made that it is not so much the eID that Taiwanese oppose, but more so the perceived non-transparent manner in which its implementation has been conducted.
In the case of eID pilot which was to be conducted in Hsinchu, Taiwan Association for Human Rights secretary-general Shih Yi-hsiang said that the MOI “did not clearly inform the public about the eID project or furnish them with a proper overview” of the pilot.
This problem could have been avoided if the government conducted an open and consultative participatory process right from the start, after the card development was launched in 2016. This is a sentiment shared by many observers.
In fact, the workshop participants were all realistic that as long as data is on the internet, it is not possible to have complete privacy. What the participants are advocating for therefore is not ultimate privacy with no room for discussion, but legal and regulatory safeguards which can hold unethical data use to account, and the eID system as it currently stands cannot assure this. Minister Tang acknowledged as well the lack of independent oversight that is preventing Taiwan from fulfilling the European Union’s GDPR requirements.
As it is, the eID rollout has taken five years since it was announced in 2016 to become close to realization. Imagine if the participatory engagement was done right, properly incorporating public feedback. The time spent today on the petitions, press conferences and legal suits to halt the eID launch could have been better spent engaging participants in productive discussions, if the government was willing to listen.
In the end, the government needs to understand that it is not that Taiwanese do not want the eID. It is that they do not trust the government to make the eID safe in its current iteration, because the government has not listened. And it is time the government needs to start to listen.
The development of the eID card therefore presents a valuable opportunity for the government to learn to engage with citizens, given the complexities required in developing a new regulatory framework to deal with emerging data concerns. If the government can adopt a fresh mindset in engaging the public before the roll-out of the eID, it will set the standard for future democratic exercises to come.
READ NEXT: Taiwan’s Rigged Economy Dampens Innovation
TNL Editor: Nicholas Haggerty (@thenewslensintl)
If you enjoyed this article and want to receive more story updates in your news feed, please be sure to follow our Facebook.
