Digital Public Infrastructure (DPI) systems can be enablers of access, inclusion, and state capacity. However, digital systems have inherent risks and DPI introduces those risks on a societal scale. Below is an overview of eight core privacy risks in DPI systems, their relevance, and real-world examples of how these risks have materialised.
DPI systems are exposed to varying types and levels of risks. We found in our work that naming concrete risks helps our advocacy. The public debate benefits from clear language and international examples.
<aside>
📌
Very often, our calls for safeguards and stronger regulation were only taken seriously once we could point to risks that lawmakers themselves recognised as needing to be avoided.
</aside>
In this chapter we will focus only on the privacy and technology related risks inherent to most DPI systems. The concrete risks depend not just on the functionality of the system (digital identity, payment or data exchange), but also the technical architecture, the legal framework and the societal context the system operates under.
1. Data Misuse and Function Creep
- Risk: Data collected for a legitimate purpose (e.g. social benefits) is repurposed without consent for unrelated uses (e.g. law enforcement or commercial profiling). A company collects information from a DPI for providing a service and later sells that data to a data broker.
- Relevance to DPI: DPI systems often centralise sensitive data. Without purpose limitation and strict legal frameworks, mission creep becomes a major threat.
- Example: In India, Aadhaar data collected for welfare delivery has been repurposed by other government agencies for surveillance and police investigations, despite initial assurances of limited use.
2. Data Breaches and Poor Security
- Risk: Unauthorised access to or leakage of personal data due to poor security, system vulnerabilities, or insider attacks.
- Relevance to DPI: DPI systems typically store high-value personal data. A breach can expose millions of people to harm.
- Example: In the Philippines, a 2016 breach of the Commission on Elections database (COMELEC) exposed the personal data, including fingerprints, of over 55 million registered voters.
3. Tracking and Profiling
- Risk: DPI systems enable actors to monitor individuals' activities, aggregate data and build behavioural profiles across sectors.
- Relevance to DPI: Reuse of identifiers across services or centralised logging of access events enables deep profiling.
- Example: China's national ID system and integration with digital services allows the government to monitor citizen behaviour across platforms, including payments, transport, and internet use. Another colloquial term is Social Credit System.
4. Over Identification
- Risk: Requiring individuals to prove their legal identity in contexts where it is not necessary. This reduces anonymity and the use of pseudonyms, and can have negative consequences for privacy and freedom of speech.
- Relevance to DPI: DPI systems can make identity verification so easy and ubiquitous that services begin to require identification unnecessarily.
- Example: In the United Kingdom, the Online Safety Act requires many website and apps to check the age of their users. This has lead to millions of photos of driver licenses, ID cards and passports on the servers of adult and other websites.