Huduma Namba is a great idea as long as data security is guaranteed

Early in the year, I did raise some concerns about the new National Integrated Identity Management System dubbed Huduma Namba. The court in its recent ruling allowed the Huduma Namba registrations to proceed but suspended some provisions that are obviously aimed at protecting citizen privacy.

Some of the suspended provisions include restrictions from collecting citizen DNAs and geo-locations, restrictions against sharing the data with third parties and making the registration process optional.

Indeed these restrictions may well be lifted after the case is heard and determined and so as Kenyans, we should be looking beyond the court cases and begin to think of resolving the challenges.

BETTER WAY

One obvious challenge is to find a better way to design the Huduma Namba system so as to improve the way government provides services, without necessarily compromising citizen data privacy and security.

Identity Management Systems – like Huduma Namba – are really about three core players - the issuer of a claim, the owner of the claim and the verifier of the claim.

In a typical scenario, if you claim to be a graduate of, say, Oxford University, you will be holding a certificate from the institution. Oxford University will in this case be the issuer of that claim or certificate.

You then become the owner of this claim by virtue of holding that certificate.

Third, parties may want to verify your claim when you present the certificate to them by doing some background checks on you. They are called the verifiers of your claimed certificate.

In the physical world, the roles and procedures for issuing, owning and verifying claims, certificate or identities is pretty standard – even though obviously relatively easy to fake or compromise.

Some of the things that we have all come to know and almost accept as necessary evils include fake national IDs or passports, fake university certificates, fake car registration numbers, fake cheques and fake insurance claims.

RIGHT MOVE

Therefore, moving this process onto the digital platform in order to limit the exposure is therefore progressive, and perhaps the only way to proceed.

Digital identities or certificates are mathematical representations of physical certificates and are much more secure and efficient when it comes to issuing, owning and verifying them.

The challenge, however, is that the current technologies for deploying and supporting digital identity management systems suffer from one weakness – they are very centralised and subsequently form a 'single point of failure'.

All your online accounts and subscriptions, be it your regular email, Twitter, Facebook or the more sensitive banking, mobile money or medical accounts face the same problem of being digital and centralised.

From time to time, these digital accounts do get hacked. It really does not matter how big your cyber security budgets or skills are, cyber attacks are often a question of when they would happen, rather than if they will happen.

What mitigates the data risk is therefore the limited scope of private data hosted on the attacked system. In other words, the size and impact of a data breach is proportional to the amount of sensitive data a particular system is holding about you.

By design, one of the protective mechanisms would include avoiding to put all information about a citizen in one single application with the indirect consequence of creating an attractive high value digital target for would-be attackers.

This protective mechanism, however, contradicts the objective of Huduma Namba, which is to provide a unique number that opens up a single source of truth, and the whole truth about a particular citizen.

With that unique number, the traffic policeman would be able to tell, if your driving license is expired, whether you have previous history of traffic offences, whether you are a fugitive or if you are driving a stolen car.

This is all good data that can help the traffic policeman make quick and well-informed decisions.

WRONG MOTIVE

However, things can easily go off-script since the same Huduma Namba – if enabled - can be abused by the traffic officer for an ulterior motive. It can tell him where you live, where you work, your role in the company amongst other details that would help him calibrate how big a bribe to extort from you.

It seems therefore that there must be checks and balances in enhancing service delivery without compromising citizen privacy.

In more developed economies, the necessary data protections laws are passed and an independent and functional judiciary protects breaches – irrespective of whether they are from the government, business enterprises or the hackers.

In emerging economies like Kenya where these institutions are struggling, the solution may lie in adapting contemporary technologies like Blockchain, which offer digital identity management solutions that can protect citizen data through automated trust as opposed to the human trust that the traffic policeman will not access more data than is necessary for his work.

We wont be the first in the world to deploy Blockchain digital identity solutions since Estonia already has done so, but we definitely would be the first in Africa.

Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT.

Email: [email protected], Twitter: @Jwalu