Written by Ho Ming-hsuan | Edited by OCF Lab
The digital revolution in the last half-decade has made digital life a new norm, and many countries are joining a growing number of people in transitioning into a ‘walletless’ future. First there was contactless payment, which allows users to pay through their mobile devices. Now, electronic and digital forms of identification are taking the world by storm. Gone are the days where we had to fumble through card after card to finally reach for the right one. Now, all our essential information is available at our fingertips with just a single card or smart device in hand.
While some countries have mandated the use of digital ID, others are slowly easing their people into the transition. In these series, we’ll be looking at some forms of electronic and digital identification used by some countries in Asia to understand how this growing trend is taking shape here. This article will start from Taiwan.
Digital ID in Taiwan: Underestimated Risks to Privacy and Cybersecurity
Taiwan once again launched its comprehensive digital ID project in 2015, which made the third attempt to officially launch a project related to digital ID by the government, preceded by its previous efforts in 1998 and 2005 respectively.
This policy of producing digital ID has undergone numerous revisions since its launch in 2015. The latest version is the government to combine the existing National ID Card and the Citizen Digital Certificate into a new digital ID card with a chip (i.e. New eID), which is expected to go for a trial run in certain municipalities in January 2021 before a total rollout in July 2021.`
In Taiwan, all citizens are required to have an ID card. The cards at present are paper-based in hardcopy. Yet, should citizens want to be digitally authenticated with their IDs, they can “voluntarily” apply for a “Citizen Digital Certificate” from the Ministry of the Interior. It is a system that has been operated for years prior to this rollout of New eID.
The New eID, apart from the policy of all citizens required, is made of plastic physically with a chip embedded to store digitalized identity information and Citizen Digital Certificate. The activation of such chip is mandatory with only the section of Citizen Digital Certificate remained optional for opt-out. According to the plan of the Ministry of the Interior, citizens can use this card for digital identity authentication to access services provided by the public and private sectors alike, without specific limit as to the scope of application of such card to date.
The current planning by the government of Taiwan has raised huge concerns for the past couple of years as follows:
- No full assessment of information security risk with the New eID: The New eID comes with the potential to extensively broaden the application scope of digital identity. However, in consideration of information security, the government focuses merely on the risks involved with the production of the chip itself, while underestimating risks arising from other service-related systems and software. Furthermore, it fails to take the cybersecurity capacity of the entities that may store digital identity information of individuals into its consideration of risks.
- Increased risks of surveillance on individuals due to the New eID: As individuals have their digital ID authenticated, they may leave lots of digital footprints behind at the end of government or companies. These digital footprints can be exploited for the purposes of systemically tracking or analyzing individuals’ behaviors. In addition, either “T-Road” that improves the possibilities of data exchanges among governmental departments or the high-resolution photos stored on the digital ID (300dpi & 600dpi) has also stirred up concerns of surveillance by the state in various degrees. In light of these risks, the public proposed a counter-surveillance mechanism for the citizens at minimum, which was turned down by the government, nevertheless.
- National security concerns with the New eID: The tendering processes relevant to the digital ID have completed successively in 2020. However, the software supplier for the digital ID production (International Integrated Systems, Inc.) was found a contractor to numerous ICT systems of public financial entities in China as well. As a result, it raises concerns not just about the potential risks of shared components in terms of system, but also the risks involving the relevant individuals forced to hand over relevant system design parameters or project details when traveling across borders of China.
- No intention to regulate risks via laws by the government: The laws and regulations concerning personal information or information security in Taiwan are general perceived as incapable of tackling risks introduced by the digital ID. However, different from countries like Germany, Japan, and Estonia that tackle such risks through establishing new or amending existing laws, the government of Taiwan has no intention to amend its laws in the implementation of the policy these years, which is also the part questioned by the public the most in the process. At present, there is no dedicated entity with regard to personal data protection in Taiwan, it is yet another reason why many people consider such policy implementation inappropriate.
In light of the risks mentioned above, the civic society and the academia proposed three suggestions: (1) introduce relevant laws immediately to ensure the citizens’ right to choose whether or not to obtain a digital ID card and to regulate the risks of cybersecurity and privacy stemming from the policy; (2) create an independent, dedicated entity for personal data protection that oversees matters concerning personal data protection nationally, including behaviors such as identity authentication; and (3) halt the digital ID rollout policy prior to the aforementioned actions taken and completed.
The article is licensed by CC BY-SA 4.0.