Monday, July 18, 2016

Sri Lanka's electronic ID: A grave threat to civil liberties (Update 2 with excerpts and links to the bill)

Sri Lanka is to issue E-NIC's soon. This has been talked about for several years but the bill has been passed in parliament and is now apparently in the committee stage. The bill is not widely available, so this is only a preliminary analysis, but we do know that it is modeled on Pakistan's CNIC scheme.
The Sunday Times states that "the detailed data base will include biometrics data, details of family members and whether the person is a samurdhi beneficiary or a recipient of other benefits from the state".
A tech website claims that 
Accordingly all relevant information of a child since their date of birth will be incorporated into the eNIC. Once the child reaches the age of 16, he/she will be assigned an identity card number and the new electronic NIC will be issued.

This would actually make sense as all details of a citizen could be stored in this so a single database can be maintained for each citizen. In addition, the new ID card would make our lives a tad easier by making banking and other services readily accessible. The eNIC can also be used in a situation such as verification of driving licenses, passports and other identity-related services.
Sri Lanka has had a system of national ID's since the 1970's and people have got used to the concept, but hitherto the records have been maintained manually. The new card:

1. Contains a lot more information than the old manual ID.
2. Has the data centrally stored, enabling easy monitoring.
This new card will contain
  • Current details (name address etc)
  • Biometrics (retina, finger prints etc)
  • Blood Group
  • Picture
  • Bio data (Presumably things like marital status, religion, etc)
  • Family Tree
This is the most dangerous step taken by the new regime and would potentially enable those in power to monitor the activities of opponents, journalists and dissidents with ease.

The use of the NIC has expanded over the last decade and it is now used for many normal day to day activities. Twenty years ago I did not even bother carrying an NIC around, I kept it safely locked up at home along with my passport, now I don't leave home without it.

 Just think of how many transactions need an NIC. All of this could potentially be captured, stored and accessed.  Just off the top of my head the information extracted could include:

1. Employment details
2. EPF. ETF details.
3. Details of bank transactions, credit cards.
4. Savings, fixed deposits, investments.
5. Income tax file nos.
6. Details of businesses registered under your name and directorships held.
7. Share market trading accounts.
8. Vehicles owned.
9. Phone numbers owned.
10. Houses, property owned.
12.  Travel details, airline tickets and visits to hotels.
13. Bio data could include email addresses, details of adopted children (source)

The list keeps going on. Complaints lodged with the police, legal agreements drawn up, all carry NIC numbers, even some loyalty card programmes with supermarkets; could these all wind up getting captured?  The bill provides untrammeled power to collect any data:

39a(1)The Commissioner General or an
authorized officer may,for the purpose of
discharging the functions under this Act,
require a prescribed authority to furnish, in
writing, such prescribed information relating
to a person, recorded with such Authority

(2) It shall be the duty of the person who is
in charge of such authority referred to in
subsection (1) to comply with such requirement
Employers are bound to submit all information relating to their employees:

(3) Any employer –
(a) who fails to carry out the duty
imposed on him by section 38 to
comply with any direction issued
to him under that section to furnish
a return relating to any person or
persons in his employment; or
(b) who furnishes any such return
containing any particular regarding
such person or persons that is untrue
or incorrect,

shall be guilty of an offence under this Act,
and shall on conviction be liable to a fine not
exceeding one hundred thousand rupees or to
imprisonment of either description for a term
not exceeding one year or to both such fine
and imprisonment -
Particularly troubling is the family tree and the bio data; the (entirely illegal) tactic used in the past was to take into custody family members of people the Government wanted to question and to hold them hostage until the wanted person turned up. Not that the people the Government wanted to question were suspected of anything. Journalist Tissainayagam was detained when he went to inquire why his landlord had been detained and held without charge for almost six months. 

Now details of family, race and religion will be available centrally.

The draft bill allows Secretary of Defence and any authority involved in criminal investigation to access the database willy-nilly.  No warrant or authorisation is needed.

39C. Notwithstanding any other provision
of this Act, it shall be lawful for the
Commissioner-General to disclose any
information relating to a registered person
recorded in the National Register of Persons,
to a public officer or authority, where such
disclosure is necessary -

(a) in the interest of national security upon
a direction issued by the secretary to
the Ministry of the Minister to whom
the subject of national defence is
assigned; or
(b) for the prevention or detection of
crimes; or
(c) for the purpose of complying with any
order or direction issued by a
competent Court
The minister however retains the sole power to exempt anyone or any class of persons from complying on the grounds of "national security". Conceivably members of parliament or military personnel may be exempted. In other words we can chose who to keep under surveillance, exempting our friends but including our opponents.

39D. The Minister may, in the interest of
national security require the Commissioner-
General to exempt any person or class of persons
from the application of any of the provisions
of this Act or any regulation made thereunder
to the extent as is necessary, subject to such
terms and conditions
The BBS would be very pleased to get accurate records of Muslims, Muslim businesses and property owned by Muslims.Would-be extortionists, kidnappers and criminals would be very interested in obtaining asset and bank details. Provincial councillers, often little more than criminals,  who extract graft from any business operating in their territory, will doubtless rub their hands with glee if they could get the tax records of businesses.

The Government claims that the ENIC would enable accurate identification but this is not foolproof as proven in Pakistan. Criminals and those with things to hide would find the means around it, as has happened in Pakistan. Problems with fraud and identity theft with E-NIC's have prompted a massive and expensive re-registration drive in Pakistan.

Before we proceed any further citizens need to know what this E-NIC will entail and the bill must be made public and subject to proper debate.

The UK started implementing such a scheme after the September 11th attacks in the US in 2001 and scrapped it in 2010, as it was deemed to be intrusive.

Sri Lanka has only recently emerged from a situation where the state (or a parallel state) monitored people deemed objectionable. It is known that phone calls and text messages were tapped, which is why the then-opposition used Whatsapp and Viber to to communicate for election monitoring. Now that they are in office they propose to leave a powerful tool in the hands of the Government that can be used to identify and crush its opponents.

Those in power today, who push for these measures need to consider their own position and that of their supporters, in the event they lose power.

The broad arguments against the E-NIC in the UK can be found on the campaign website NO2ID.  Concerned citizens and civil society should call for the full publication of the proposed bill and proper public debate before we move any further.

The Bill can be accessed here.