Mexico’s government wants the biometrics of all its citizens. Given the fragility of its institutions and organized crime’s infiltration of both government and law enforcement, this is a major cause for concern.
Mexico has a serious problem with identity theft. Last year, the country ranked eighth worldwide in terms of the incidence of the crime, according to data from the country’s central bank, Bank of Mexico. Since then the scale of the problem has done nothing but grow, as huge amounts of work, leisure and consumption have migrated online.
A cybersecurity study conducted by Citrix found that 60% of the Mexican companies it consulted had suffered some form of cyber attack since the start of the pandemic, including identity theft and ransomware. Mexico is also one of the countries most frequently targeted by Trickbot, a Trojan horse whose main function is the theft of banking details and other credentials, according to a recent report by the newspaper Milenio.
Against this backdrop Mexico’s Lopez Obrador government is seeking to pass a draft law that will create a “Unique Digital Identity Card,” or CUID. If the law is passed, digital identity will become mandatory for all Mexican citizens and foreigners living on Mexican soil. All the information, including each user’s biometric data, will be stored on a centralised database. The proposed law was already passed by Mexico’s lower chamber in December 2020 and is now awaiting passage in the Senate.
World Bank Funding
The biometric ID card project is being funded by the World Bank, an organisation that is driving digital ID adoption around the world, particularly in the Global South. The bank is pushing digital ID in poorer countries with the ostensible goal of providing legal identity to the 1.1 billion people, mainly in Asia and Africa, who do not currently have one.
But the program is mired in controversy. After the recent exodus of U.S.-allied forces from Afghanistan, it was discovered that many of the World Bank-funded data troves left behind had fallen into the hands of the Taliban, and could be used to track down people who had aided the occupation forces. That data included some half a million records, including biometric identifiers, on every member of the Afghan National Army and Afghan National Police, reported MIT Technology Review:
The data is collected “from the day they enlisted,” says one individual who worked on the system, and remains in the system forever, whether or not someone remains actively in service. Records could be updated, he added, but he was not aware of any deletion or data retention policy—not even in contingency situations, such as a Taliban takeover.
A presentation on the police recruitment process from NATO’s Combined Security Training Command–Afghanistan shows that just one of the application forms alone collected 36 data points. Our sources say that each profile in APPS holds at least 40 data fields.
These include obvious personal information such as name, date, and place of birth, as well as a unique ID number that connects each profile to a biometric profile kept by the Afghan Ministry of Interior.
But it also contains details on the individuals’ military specialty and career trajectory, as well as sensitive relational data such as the names of their father, uncles, and grandfathers, as well as the names of the two tribal elders per recruit who served as guarantors for their enlistment. This turns what was a simple digital catalogue into something far more dangerous, according to Ranjit Singh, a postdoctoral scholar at the nonprofit research group Data & Society who studies data infrastructures and public policy. He calls it a sort of “genealogy” of “community connections” that is “putting all of these people at risk.”
Security Risks in Mexico
More than 25 national and international organisations, including Privacy International, Access Now and Red en Defensa de los Derechos Digitales (R3D), have called on Mexico’s Senate to block the CUID program’s implementation, citing security risks to civilians as well as the Mexican government’s authoritarian drift. In April, the AMLO government passed a controversial reform to the Federal Communications Law that created the National Register of Mobile Telephone Users, a centralised database containing the line number, date and time of activation for each user, their full name and biometric data, among other information.
The government claims the data is needed for its fight against organized crime. Smart phones, it says, are routinely used in many of the worst crimes committed, including kidnappings and extortion.
Roughly 75% of Mexicans have a smartphone, according to a government survey. Now, the government wants the biometric data of everyone. And that should be cause for concern. In a recent interview with Rest of World, a global nonprofit publication “covering the impact of technology beyond the Western bubble,” the Mexican digital rights activist Luis Fernando García said that the centralised nature of the proposed biometric database system would make it much easier for the government to track and control citizens:
When the government creates this one identity system, every time someone goes to a public or private service, they give the same centralized ID. Before, officials would need to go to different places to collect all the information they need. With the CUID, they would have a way to connect all of the databases. This gives the government and corporations the power to surveil, control, manipulate, and punish people.
Given the inherent weakness of Mexico’s political and legal institutions and the extent to which organised crime has infiltrated both government and law enforcement agencies, so much so that the line between organized crime and the public authorities is barely distinguishable, “a digital ID that simply provides a new surveillance tool…, enabling the tracking, surveilling and profiling at scale, is a great cause for concern,” says the London-based charity Privacy International:
Digital ID systems risk being a surveillance tool, used to track movements and activities, and linking all of a person’s activities back to a single number. This is particularly acute in Mexico, given the ongoing targeting of communities at risk including journalists, human rights defenders, and environmental activists. And, if the abuse of Aadhaar by criminals in India is anything to go by, organised crime could be looking to use this system for their own, deadly ends. In an interview with PI, a lawyer at the Mexican human rights organisation CentroProdh spoke movingly of the impact that surveillance has on human rights defenders, lawyers, and activists. The intrusion of this surveillance impacts not only the lives and work of activists, but also their families.
There is also the issue of data security to consider. Political and financial institutions in Mexico have suffered numerous breaches in recent years. In 2018, hackers pulled off an audacious $20 million heist of Mexico’s inter-bank payment system, run by the Bank of Mexico. As mentioned at the beginning of this article, Mexico ranks eighth in the world in identity theft. A centralised database of every citizen’s biometric data will be the ultimate honey pot for sophisticated cyber-criminals.
“The idea of a data breach is not a question of if, it’s a question of when,” says Prof. Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the internet: everything is hackable.
Authorities in India, South Korea and the Philippines have already suffered breaches that led to the theft of biometric ID data belonging to millions of individuals in those respective countries, says Privacy International. And when biometric data is leaked, the consequences can be catastrophic. If biometric data is hacked, there is no way of undoing the damage. There is no way of changing or cancelling your fingerprint, iris or DNA like you can change a password or cancel your credit card. The UN High Commissioner for Human Rights says that biometrics are “by definition inseparably linked to a particular person and that person’s life, and has the potential to be gravely abused.”
Another problem with biometric systems is they are far from flawless. As Wired reported in 2019, US government tests found that even top-performing facial recognition systems misidentify blacks five to 10 times more often than they do whites. In Mexico this could be a major problem given that 67% of the population self-classify their skin colour as medium tones and 20% as dark tones.
The World Bank’s Identification for Development (ID4D) program was launched in 2014 with “catalytic contributions” from the Bill & Melinda Gates Foundation as well as the UK Government, the French Government, the Australian Government and the Omidyar Network. According to the World Bank Group’s website, it is a “cross-sectoral platform that creates and leverages partnerships with United Nations agencies, other donors, non-government organizations, academia, and the private sector” with the goal of “help[ing] countries realise the transformational potential of digital identification systems.”
The program is wrapped up in cosy buzz words such as digital development, social protection, gender issues and financial inclusion. But digital ID systems can also be weaponized by authorities to exclude millions of people from access to the most basic services, or even to deprive people of the legal right to remain within the respective jurisdiction.
This is precisely what happened in the Dominican Republic. As Eve Hayes de Kalaf, a research associate at University of London’s Centre for Latin American and Caribbean Studies, reported in an article for The Conversation, the Dominican government, in conjuction with World Bank programmes providing citizens with proof of their legal existence, “introduced exclusionary mechanisms that systematically blocked black Haitian-descended populations from accessing and renewing their Dominican ID”:
For years, people of Haitian ancestry born in the Dominican Republic have found themselves in a fierce battle to (re)obtain their ID. Officials claimed that for over 80 years they had erroneously provided people born to Haitian migrants with Dominican paperwork and now needed to rectify this mistake. These people say they are Dominican. They even have the paperwork to prove it. But the state doesn’t agree…
Who was deemed eligible for inclusion in the civil registry (meaning Dominican citizens) and who was excluded as foreigners (the Haitian-descended) was considered a sovereign issue for the state to address. As a result, tens of thousands of people found themselves without documentation and subsequently excluded from essential healthcare services, welfare and education…
Hayes de Kalaf lists other cases where digital ID registrations had been used for discriminatory purposes, including India’s ostracism of the Assam and Kenya’s systematic mistreatment of Somali refugees:
For people who find themselves excluded from this new digital age, daily life isn’t just difficult, it is almost impossible.
And while the need to speed up digital ID registrations is pressing, in this post-pandemic world we need to take a step back and reflect. Calls for digital COVID passports, biometric ID cards and data-sharing track-and-trace systems are facilitating the policing not only of people crossing borders but also, increasingly, of the populations living within them.
It is high time we had a serious discussion about the potential pitfalls of digital ID systems and their far-reaching, life-altering impact.
One can only hope that before voting on CUID, Mexico’s Senate gives full consideration to these potential risks. The same goes for many governments around the world, in both the Global South and Global North.