By Ho Ming-hsuan
The digital revolution in the last half-decade has made digital life a new norm, and many countries are joining a growing number of people in transitioning into a “walletless” future. First, there was contactless payment, which allows users to pay through their mobile devices. Now, electronic and digital forms of identification are taking the world by storm. Gone are the days where we had to fumble through card after card to finally reach for the right one. Now, all our essential information is available at our fingertips with just a single card or smart device in hand.
While some countries have mandated the use of digital ID, others are slowly easing their people into the transition. In this series, we’ll be looking at some forms of electronic and digital identification used by some countries in Asia to understand how this growing trend is taking shape here. This series will start from Taiwan.
Digital ID in Taiwan: Underestimated risks to privacy and cybersecurity
Taiwan once again launched its comprehensive digital ID project in 2015, which made the third attempt to officially launch a project related to digital ID by the government, preceded by its previous efforts in 1998 and 2005.
This policy of producing digital ID has undergone numerous revisions since its launch in 2015. In the latest version, the government combines the existing National ID Card and the Citizen Digital Certificate into a new digital ID card with a chip (i.e. New eID), which was expected to go for a trial run in certain municipalities in January 2021 before a total rollout in July 2021.
In Taiwan, all citizens are required to have an ID card. The cards at present are paper-based in hard copy. Yet, should citizens want to be digitally authenticated with their IDs, they can “voluntarily” apply for a “Citizen Digital Certificate” from the Ministry of the Interior. It is a system that has been operated for years prior to the rollout of New eID.
The New eID, apart from the policy of all citizens required, is made of plastic with a chip embedded to store digitalized identity information, including that in the Citizen Digital Certificate. The activation of such chip is mandatory with only the section of Citizen Digital Certificate remained optional for opt-out. According to the plan of the Ministry of the Interior, citizens can use this card for digital identity authentication to access services provided by the public and private sectors alike, without specific limit as to the scope of application of such card to date.
The current planning by the government of Taiwan has raised huge concerns for the past couple of years, including:
No full assessment of information security risk: The New eID comes with the potential to extensively broaden the application scope of digital identity. However, in terms of information security, the government focuses merely on the risks involving the production of the chip itself, while underestimating risks arising from other service-related systems and software. Furthermore, it fails to take into consideration the cybersecurity capacity of the entities that may store digital identity information when evaluating risks.
Increased risks of surveillance: As people have their digital ID authenticated, they may leave lots of digital footprints behind at the end of government or companies. These digital footprints can be exploited to systemically track or analyze people’s behaviors. In addition, both “T-Road,” a mechanism that facilitates data exchanges among governmental departments, and the high-resolution photos stored in the digital ID have also raised concerns of surveillance by the state in various degrees. In light of these risks, the public proposed a counter-surveillance mechanism for the citizens at minimum, which was turned down by the government, nevertheless.
National security concerns: The software supplier for the digital IDs (International Integrated Systems, Inc.) was found a contractor to numerous ICT systems of public financial entities in China. As a result, it has raised concerns not just about the potential risks of shared components in terms of system, but also the risks involving the staff of the supplier forced to hand over relevant system design parameters or project details when traveling to China.
No intention to regulate risks via laws by the government: The laws and regulations concerning personal information or information security in Taiwan are general perceived as incapable of tackling risks introduced by the digital ID. However, different from countries like Germany, Japan, and Estonia that tackle such risks through establishing new or amending existing laws, the government of Taiwan has no intention to amend its laws in the implementation of the policy these years, which is also the part questioned by the public the most in the process. At present, there is no dedicated entity with regard to personal data protection in Taiwan, it is yet another reason why many people consider such policy implementation inappropriate.
In light of the risks mentioned above, the civic organizations and the academia have proposed three suggestions. The government should: (1) introduce relevant laws immediately to ensure the citizens’ right to choose whether or not to obtain a digital ID card and to regulate the risks of cybersecurity and privacy stemming from the policy; (2) create an independent, dedicated entity for personal data protection that oversees matters concerning personal data protection nationally, including identity authentication; and (3) halt the policy to roll out digital IDs before the aforementioned actions are taken.
The article is licensed by CC BY-SA 4.0.
The News Lens has been authorized to publish this article from OCF Lab.
READ NEXT: Plan for Digital ID Card Suspended Amid Controversy
TNL Editor: Bryan Chou (@thenewslensintl)
If you enjoyed this article and want to receive more story updates in your news feed, please be sure to follow our Facebook.
