Rebecca Moody, Head of Data Research at Comparitech, has extensively studied countries that have digital ID requirements and how they have fared over the last 12 months
Several years ago, experts predicted that, by 2024, governments will have issued a total of 5 billion digital identities. Digital IDs are hailed as a convenient way to access government services, prevent identity theft, and create efficient systems.
But what about the privacy implications of these IDs? And the increased risk of breaches and shutdown of key government systems? Not only do digital IDs have the potential for increased government surveillance, but a centralised database of citizens’ data creates a serious risk of breaches and a single point of failure. The latter could ultimately leave citizens without access to key services.
To find out which countries already have such systems in place and how invasive these identification systems are, our team has looked at the top 50 countries by GDP.
We explored the type of digital ID in place, what data is collected to create these systems, what the digital IDs are used for, and whether or not they’re linked to mobile apps. Each country was given a score out of 35. Lower scores indicate a more limiting and invasive use of the identification system.
Please note: while many countries have electronic biometric cards, this study focuses on fully-digitalised identification. This is often via an app on a smartphone or may be a digitalised identity number that is created for each citizen and is linked to their physical ID. Sometimes, the latter may also be connected to an app.
Several years ago, experts predicted that, by 2024, governments will have issued a total of 5 billion digital identities. Digital IDs are hailed as a convenient way to access government services, prevent identity theft, and create efficient systems.
But what about the privacy implications of these IDs? And the increased risk of breaches and shutdown of key government systems? Not only do digital IDs have the potential for increased government surveillance, but a centralised database of citizens’ data creates a serious risk of breaches and a single point of failure. The latter could ultimately leave citizens without access to key services.
To find out which countries already have such systems in place and how invasive these identification systems are, our team has looked at the top 50 countries by GDP.
We explored the type of digital ID in place, what data is collected to create these systems, what the digital IDs are used for, and whether or not they’re linked to mobile apps. Each country was given a score out of 35. Lower scores indicate a more limiting and invasive use of the identification system.
Please note: while many countries have electronic biometric cards, this study focuses on fully-digitalised identification. This is often via an app on a smartphone or may be a digitalised identity number that is created for each citizen and is linked to their physical ID. Sometimes, the latter may also be connected to an app.
Key findings
Out of the 50 countries we analyzed:
- 37 countries have implemented digital ID schemes with the majority being mobile applications linked to physical ID cards
- All 13 countries without fully-fledged digital ID schemes are discussing or in the process of creating them
- The majority of digital IDs collate personal data with 13 also including biometrics
- 19 of the countries with digital IDs have a centralised biometric database
- All of the digital IDs are used for accessing government services with many also being linked to banking and healthcare
- 35 countries have smartphone apps linked to the digital IDs–only six of these apps don’t collect data off the device (e.g. on the government database or by the software providers)
The worst countries for digital ID requirements and use
The following countries received the lowest scores, which means their use of digital IDs are potentially invasive, limiting, and lacking in data privacy.
Nigeria = 4/35
Nigeria is the worst-scoring country due to its use of the National Identification Number (NIN). As of June 2023, 100 million of these digital IDs had been issued with plans to have enrolled 148 million by the middle of this year. A NIN is mandatory within the country and includes fingerprints, a facial picture, and a digital signature.
Having an NIN is essential for accessing government services, getting healthcare, opening a bank account, and obtaining documents to be able to travel.
Nigeria does have a data protection law in place, but that hasn’t stopped the creation of a national database that includes biometrics, and to which law enforcement often has unwarranted access.
An app, MWS: NIMC MobileID, was recently introduced. It gives people access to their digital ID, but it isn’t mandatory (1 point). A further two points are given for the data protection law providing some safeguards over the data collected via the app (1) and the optional use of two-factor authentication (2FA) within the app (1).
Pakistan = 7/35
In second place is Pakistan with its Computerised National Identity Card (CNIC). This isn’t mandatory as such but citizens cannot do a number of things without it (1 point). It is needed to access government services and benefits, use healthcare services, and open a bank account. It can also be used for travel but isn’t compulsory (1 point). Unlike Nigeria, Pakistan has failed to introduce an adequate data protection law so it loses one point here.
Like Nigeria, Pakistan created a central biometric database from its ID scheme and is in the process of rolling out an app for the digital ID. At present, Pakistan’s app, Pak Identity, can be used to create the CNIC but there are aims for this to become a digital wallet. The app’s data collection policies are vague but data isn’t shared with third parties (2 points) and 2FA is compulsory (2 points).
Pakistan’s digital ID scheme has been heavily criticised for keeping many people locked out of key services. For example, one woman was unable to obtain a CNIC because she couldn’t present her father’s ID card (her father abandoned her as a baby).
Brazil and Vietnam = 10/35
Vietnam has an app linked to its national ID card. Brazil has created a new national ID scheme for its Carteira de Identidade Nacional (CIN) that incorporates blockchain technology.
While Brazil’s digital ID is a requirement when you reach a certain age, Vietnam’s digital version of the e-ID card isn’t mandatory. Both countries use digital IDs for access to government services and benefits, banking, healthcare, and travel.
Both have apps for their digital IDs. Third parties are not permitted to access data via the digital apps of Brazil (gov.br) and Vietnam (VNeID). Neither have 2FA, though.
Singapore = 11/35
Singapore’s digital ID, Singpass, is in widespread use. And while not mandatory, citizens are incredibly limited without it. The app isn’t a requirement for the digital ID but most people do use it as it provides ease of access to government services, benefits, banking, healthcare, and some travel.
The Singpass app does collect data and third parties may access this. That said, 2FA is mandatory.
The Philippines = 11.5/35
The Philippines has created an electronic version of its Philippine National Identification System–ePhilID. This isn’t a mandatory requirement yet but citizens do need it for various government services.
The system incorporates personal data along with biometrics (fingerprints, facial scans, iris scans) into a central database. Law enforcement is able to access this database but is unable to copy data from it. However, unwarranted, real-time access is likely. The country lacks biometric data protection legislation, but a note from the National Privacy Commission regarding biometrics may provide some protection (0.5 points).
The app, eGovPH, allows users to view their digital ID. Personal data is stored when using the app, but it is not shared with third parties. 2FA is not compulsory.
Peru = 12/35
The Documento Nacional de Identidad electrónico (DNIe) is linked to an online identity in Peru but the digital aspect is not mandatory. Nevertheless, IDs are linked to a central biometric database in Peru with unwarranted access for law enforcement.
Like the Philippines, users can access their digital ID via an app, ID Perú. Users can apply for their digital ID via DNI BioFacial. The latter is the more widely used and does collect personal data but doesn’t share with third parties. No 2FA is required, either.
Other mentions
India = 19/35
No list of digital IDs would be complete without mentioning India’s Aadhaar. The Aadhaar is the biggest digital identification system in the world. It is voluntary but citizens are severely limited without it.
It scores mid-table in this study because the biometric database is not accessible to law enforcement, and because the app version of the ID, mAadhaar, comes with privacy protections. It doesn’t collect any personal data and 2FA is compulsory.
The Aadhaar is a prime example of how digital identification systems can lead to huge data breaches. Late last year, the data of 815 million Indians was leaked on the dark web. Stolen information included names, addresses, phone numbers, passport information, and Aadhaar numbers. The database was leaked in early 2018, too.
A fraud scheme was also identified last year whereby victims’ biometric data for the Aadhaar-enabled Payment System (AePS) was targeted.
Saudi Arabia = 15/35
Saudi Arabia’s digital ID app, Absher, is linked to its eID card. It isn’t mandatory but does provide one of the best examples of how digital IDs can be used for all the wrong reasons.
Absher can be used to issue travel permits. Reports suggest this feature has been used by male users to track female ‘dependents’ when they present travel documents at the border. In some cases, male guardians revoked travel permits via the app.
Even though the app doesn’t provide real-time tracking, it can effectively allow men to control women’s movements.
Several years ago, experts predicted that, by 2024, governments will have issued a total of 5 billion digital identities. Digital IDs are hailed as a convenient way to access government services, prevent identity theft, and create efficient systems.
But what about the privacy implications of these IDs? And the increased risk of breaches and shutdown of key government systems? Not only do digital IDs have the potential for increased government surveillance, but a centralised database of citizens’ data creates a serious risk of breaches and a single point of failure. The latter could ultimately leave citizens without access to key services.
To find out which countries already have such systems in place and how invasive these identification systems are, our team has looked at the top 50 countries by GDP.
We explored the type of digital ID in place, what data is collected to create these systems, what the digital IDs are used for, and whether or not they’re linked to mobile apps. Each country was given a score out of 35. Lower scores indicate a more limiting and invasive use of the identification system.
Please note: while many countries have electronic biometric cards, this study focuses on fully-digitalised identification. This is often via an app on a smartphone or may be a digitalised identity number that is created for each citizen and is linked to their physical ID. Sometimes, the latter may also be connected to an app.
Key findings
Out of the 50 countries we analyzed:
- 37 countries have implemented digital ID schemes with the majority being mobile applications linked to physical ID cards
- All 13 countries without fully-fledged digital ID schemes are discussing or in the process of creating them
- The majority of digital IDs collate personal data with 13 also including biometrics
- 19 of the countries with digital IDs have a centralised biometric database
- All of the digital IDs are used for accessing government services with many also being linked to banking and healthcare
- 35 countries have smartphone apps linked to the digital IDs–only six of these apps don’t collect data off the device (e.g. on the government database or by the software providers)
The worst countries for digital ID requirements and use
The following countries received the lowest scores, which means their use of digital IDs are potentially invasive, limiting, and lacking in data privacy.
Nigeria = 4/35
Nigeria is the worst-scoring country due to its use of the National Identification Number (NIN). As of June 2023, 100 million of these digital IDs had been issued with plans to have enrolled 148 million by the middle of this year. A NIN is mandatory within the country and includes fingerprints, a facial picture, and a digital signature.
Having an NIN is essential for accessing government services, getting healthcare, opening a bank account, and obtaining documents to be able to travel.
Nigeria does have a data protection law in place, but that hasn’t stopped the creation of a national database that includes biometrics, and to which law enforcement often has unwarranted access.
An app, MWS: NIMC MobileID, was recently introduced. It gives people access to their digital ID, but it isn’t mandatory (1 point). A further two points are given for the data protection law providing some safeguards over the data collected via the app (1) and the optional use of two-factor authentication (2FA) within the app (1).
Pakistan = 7/35
In second place is Pakistan with its Computerised National Identity Card (CNIC). This isn’t mandatory as such but citizens cannot do a number of things without it (1 point). It is needed to access government services and benefits, use healthcare services, and open a bank account. It can also be used for travel but isn’t compulsory (1 point). Unlike Nigeria, Pakistan has failed to introduce an adequate data protection law so it loses one point here.
Like Nigeria, Pakistan created a central biometric database from its ID scheme and is in the process of rolling out an app for the digital ID. At present, Pakistan’s app, Pak Identity, can be used to create the CNIC but there are aims for this to become a digital wallet. The app’s data collection policies are vague but data isn’t shared with third parties (2 points) and 2FA is compulsory (2 points).
Pakistan’s digital ID scheme has been heavily criticized for keeping many people locked out of key services. For example, one woman was unable to obtain a CNIC because she couldn’t present her father’s ID card (her father abandoned her as a baby).
Brazil and Vietnam = 10/35
Vietnam has an app linked to its national ID card. Brazil has created a new national ID scheme for its Carteira de Identidade Nacional (CIN) that incorporates blockchain technology.
While Brazil’s digital ID is a requirement when you reach a certain age, Vietnam’s digital version of the e-ID card isn’t mandatory. Both countries use digital IDs for access to government services and benefits, banking, healthcare, and travel.
Both have apps for their digital IDs. Third parties are not permitted to access data via the digital apps of Brazil (gov.br) and Vietnam (VNeID). Neither have 2FA, though.
Singapore = 11/35
Singapore’s digital ID, Singpass, is in widespread use. And while not mandatory, citizens are incredibly limited without it. The app isn’t a requirement for the digital ID but most people do use it as it provides ease of access to government services, benefits, banking, healthcare, and some travel.
The Singpass app does collect data and third parties may access this. That said, 2FA is mandatory.
The Philippines = 11.5/35
The Philippines has created an electronic version of its Philippine National Identification System–ePhilID. This isn’t a mandatory requirement yet but citizens do need it for various government services.
The system incorporates personal data along with biometrics (fingerprints, facial scans, iris scans) into a central database. Law enforcement is able to access this database but is unable to copy data from it. However, unwarranted, real-time access is likely. The country lacks biometric data protection legislation, but a note from the National Privacy Commission regarding biometrics may provide some protection (0.5 points).
The app, eGovPH, allows users to view their digital ID. Personal data is stored when using the app, but it is not shared with third parties. 2FA is not compulsory.
Peru = 12/35
The Documento Nacional de Identidad electrónico (DNIe) is linked to an online identity in Peru but the digital aspect is not mandatory. Nevertheless, IDs are linked to a central biometric database in Peru with unwarranted access for law enforcement.
Like the Philippines, users can access their digital ID via an app, ID Perú. Users can apply for their digital ID via DNI BioFacial. The latter is the more widely used and does collect personal data but doesn’t share with third parties. No 2FA is required, either.
Other mentions
India = 19/35
No list of digital IDs would be complete without mentioning India’s Aadhaar. The Aadhaar is the biggest digital identification system in the world.
It is voluntary but citizens are severely limited without it. It scores mid-table in this study because the biometric database is not accessible to law enforcement, and because the app version of the ID, mAadhaar, comes with privacy protections. It doesn’t collect any personal data and 2FA is compulsory.
The Aadhaar is a prime example of how digital identification systems can lead to huge data breaches. Late last year, the data of 815 million Indians was leaked on the dark web. Stolen information included names, addresses, phone numbers, passport information, and Aadhaar numbers. The database was leaked in early 2018, too.
A fraud scheme was also identified last year whereby victims’ biometric data for the Aadhaar-enabled Payment System (AePS) was targeted.
Saudi Arabia = 15/35
Saudi Arabia’s digital ID app, Absher, is linked to its eID card. It isn’t mandatory but does provide one of the best examples of how digital IDs can be used for all the wrong reasons.
Absher can be used to issue travel permits. Reports suggest this feature has been used by male users to track female ‘dependents’ when they present travel documents at the border. In some cases, male guardians revoked travel permits via the app.
Even though the app doesn’t provide real-time tracking, it can effectively allow men to control women’s movements, as you can see here: https://datawrapper.dwcdn.net/Yffgk/1/
Countries without Digital IDs
The following countries do not have digital IDs but many are in the process of implementing them:
- Bangladesh – while the new ID system will help create a digital ID, this hasn’t been implemented as of yet. Discussions are ongoing, including for digital health cards.
- Canada – trials of digital IDs have been made in certain regions but nothing national has been put in place.
- China – multiple discussions have taken place and trials using WeChat as a digital ID have been conducted. Blockchain seems to be a favored method for introducing a digital ID scheme but there are concerns over how this will extend the social credit scheme within the country.
- Egypt – various discussions but nothing introduced as of yet.
- Finland – a recent digital ID scheme for travel has been trialed but there is no nationwide digital ID yet.
- Iran – discussions are in place with digital IDs for rations mentioned.
- Mexico – digital IDs look set to come into place soon with many discussions underway and legislation in progress.
- Russia – digital IDs look likely in 2024 but no legislation or clear processes have been made available yet.
- South Africa – a smart ID card is available but the digitalized aspect of the ID scheme is yet to be introduced.
- South Korea – also in place for 2024, South Korea looks set to implement a digital ID scheme via blockchain.
- Taiwan – its digital ID scheme was stopped indefinitely after it hit delays and legal issues.
- United Kingdom – numerous discussions have been made but there is nothing concrete in place yet.
- United States – while several states are looking toward digital IDs, nothing national has been introduced.
Why should we be concerned about digital IDs?
Digital IDs can limit citizens’ access to key services and are vulnerable to abuse. From the risk of data breaches to increased surveillance, digital IDs pose a concerning risk to the privacy of citizens.
Having a digital ID system in place enables governments to track citizens’ movements, financial activities, healthcare records, and more. Often, these digital ID schemes are being brought into place without adequate data protection or legislation.
Or, they are being introduced in areas where access to digital services and online platforms is limited, which immediately isolates a large number of people.
Equally, there is nothing to stop digital IDs becoming interconnected between countries. For example, the EU is in the process of trying to create the European Digital Identity. This will allow citizens to do various things including identify themselves, sign things electronically, book hotel accommodation online, open bank accounts and authenticate payments, and submit tax declarations.
Digital IDs may be the ‘future’, but without careful consideration and clear policies in place, citizens’ data, privacy, and freedom is put at increased risk.