Comments on the Barbados Cybercrime Bill (2023)

nielharper

PART II – PROHIBITED CONDUCT

Illegal access

Part II (4) (1-2) is far too broad in its scope and can implicate innocent or well meaning individuals such as cybersecurity professionals, researchers, activists, and whistleblowers. It’s even more problematic where judicial officers aren’t trained to understand how to distinguish criminality from activities that serve the public interest, protect organizations, or advance the cybersecurity profession.* Certain guidance should be included with the legislation to distinguish between acceptable and criminal behaviours.

For example, the European Union (EU) General Data Protection Regulations (GDPR) includes 172 recitals – also known as preamble – that provides context and explains the reasons for the regulations. There was also an explanatory memorandum that provided further details on the proposed legislation.

Misuse of devices

Part II (9) (a-b) There are a number of dual use programmes and applications which can be and are used for both legitimate testing and protection of computer systems and conversely for malicious intent. There should be language here which acknowledges such and removes criminality in cases of ethical hacking for instance.

Disclosure of access codes

Part II (11) (1) There are several legitimate reasons for sharing access codes or credentials without authority, and this alone should not be illegal. The qualifier for criminality should be when the individual knowingly or has reason to believe that it is likely to cause loss, damage or injury to any person or property.

Critical information infrastructure system

Part II (12) (1) The list of critical information infrastructure (CII) systems is too limited in scope. A broader list should be published as an appendix or guidance note when the act is proclaimed (e.g., financial services, water utility, transportation, healthcare, hospitality, etc.). This should not be vague or left up to interpretation.

Note: Complementary critical infrastructure (CI) protection legislation is needed to ensure that:

  • There is a legal framework or a mechanism to identify operators of critical information infrastructure.
  • Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • Public sector organizations are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.

Malicious communications

Part II (19) (3) This is deeply problematic and can be used to stifle freedom of expression or valuable public commentary. It can also be leveraged to prevent criticisms of politicians/public personalities or for the purpose of political persecution. This same vague language exists in the Computer Misuse Act 2005, and has been improperly used for the same abuses identified. There must be safeguards and/or independent supervision in place to ensure that such vague clauses are not abused. This applies to several other elements of this Bill.**

Cyber bullying

Part II (20) (1) – Same as the previous comment.

Cyber terrorism

Part II (21) (1-2) This is too limited in scope and should include any use of computer systems for terrorism or organized crime. It should also include preparatory acts for terrorism or organized crimes (these are not the crimes themselves but the precipitating actions).

PART III – INVESTIGATION AND ENFORCEMENT

Search and seizure

Part III (23) (1-2) gives law enforcement excessively broad powers when it comes to confiscation and access to computer systems (including smaller form factors such as tablets and mobile phones). These types of powers require independent and effective oversight functions (as does this entire Act).

Assisting a police officer

Part III (24) (1-5) Some of the provisions in this section are concerning and can be used to force individuals to grant access to their personal devices, especially in the event that the grounds for disclosure have not been met. Again, this requires independent and effective oversight functions, and the oath of a police officer shouldn’t be enough to obtain a warrant that grants such far reaching powers.

Production of data for criminal proceedings

Part III (26) (1) This gives law enforcement excessively broad and intrusive surveillance powers when it comes to intercepting Internet communications, compelling service providers to handover subscriber data and Internet activity, and other potentially disproportionate collection or interception of online communications. These types of powers require independent and effective oversight functions. Again, the oath of a police officer shouldn’t be enough to obtain a warrant that allows for such intrusive acts.

Preservation of data for criminal proceedings

Part III (28) (1-3) There is no discussion of the conditions and safeguards for adequate protection of human rights and liberties when collecting and storing (preservation) data for criminal proceedings. This includes maintaining the “chain of custody”, protection of personal data in line with the Data Protection Act, handling of sensitive data, retention periods, adequate security measures, automated decisions (e.g., use of AI), sharing personal or sensitive data with third-parties, records of how data is accessed and used, etc. The provisions should also include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

General observations – Part III

Part III (Investigation and enforcement) is missing key provisions related to:

  • Joint investigations or joint investigation teams
  • Expert witness testimony by video conferencing
  • Emergency mutual assistance (which is different to expedited disclosure)

ALIGNMENT WITH THE BUDAPEST CONVENTION

2nd Protocol of the Budapest Convention

It is clear that the Cybercrime Bill was patterned after the Council of Europe’s (CoE) Budapest Convention, which has been deemed as outdated or deficient for several reasons. The Additional Protocol and the Second Additional Protocol of the Budapest Convention treat additional issues around racism, xenophobia, enhanced cooperation, and access to electronic evidence (e-evidence). The drafters of this Bill do not appear to have integrated the substantive updates from the additional protocols or consider the protections and safeguards required by the Budapest Convention to protect human rights. So it looks like the government is essentially looking to enact legislation that is outdated and not in step with current technology developments or evolving jurisprudence.

* Training of judicial officers, especially with regards to technology law and privacy law, is a major problem in the country. Because these specialist areas of law are emerging, there is poor understanding of the issues by magistrates, judges, prosecutors, etc. and limited case law to refer to locally or in other regional jurisdictions. Consequently, many rulings / decisions have flawed bases, and individuals are often under- or over-penalised.

** The Budapest Convention, on which the Cybercrime Bill is based has an accompanying 60-page explanatory report that specifies the additional checks and balances and rule of law-based environment that countries like Barbados should have underpinning their cybercrime legislation. The explanatory report also covers the background, scope, objectives, and main provisions of the Convention, as well as the challenges and opportunities of cybercrime.

The current version of the Cybercrime Bill (2023) can be found here: https://bit.ly/3uLrSQC

UPDATE: On 6 May 2024, I presented a more detailed critique of the Cybercrime Bill to the Parliamentary Joint Select Committee. The presentation can be found HERE.

Top 25 leaders in cyber security

nielharper

“Cyber Security Hub is thrilled to present our top 25 leaders in cyber security for 2024

The list features people from all over the globe and from different specialisms, including fraud detection, corporate governance, cyber defense, ethical hacking and more. They all have extensive expertise, have made remarkable achievements towards advancing cyber safety, and use their public profiles to raise awareness of the importance of cyber security, both as a safety measure and a career.”

Thank you Cyber Security Hub for this recognition! Giving back to the industry and the profession means so very much to me, and recognition is often a secondary thought. But when it comes out of the blue, it is always deeply appreciated.

Being part of this list with my friend Jason Lau is also particularly special as well as sharing it with persons that I deeply admire and respect such as Tia (Yatia) HopkinsConfidence Staveley, and Jen Easterly. These individuals inspire me daily, and their contributions to the profession as well as to online security, resilience and stability are immeasurable. Biggest respect and congrats to all those persons on the ‘Top 25’ list – You’re simply amazing!

Finally, the role that ISACA has played in my career and continues to play in the careers of thousands of digital trust professionals across the world is phenomenal. I am beyond privileged to be a Board Director at the organization!

Thanks again!

You can see the full list here: https://ow.ly/yOvE50PYury

Alumni of Distinction Award (Technology) – Algonquin College

nielharper

I am proud to announce that I have been selected to receive the Alumni of Distinction Award (Technology) at my alma mater Algonquin College of Applied Arts and Technology.

“The hands-on learning environment of Algonquin College is what set Harper up for success in his early career. Lab work combined with theory ensured Harper was equipped with the necessary knowledge to excel in the telecommunications field. He credits his workforce readiness to his time spent working on technology systems in the College’s labs, noting how the practical skills acquired contributed to his early success.

He also remarked on how the professional connections made throughout the program ensured an easy transition into the work environment post-grad. College was the launch pad for Harper to explore his passions and determine his future pursuits — his time at College helped him foster his passion for telecommunications and sparked a lifelong career of improving people’s lives through Internet and ICT services.”

My time at Algonquin College has been a key factor in my career success, and I am beyond proud to be an alum of the institution!

I am very humbled and welcoming of their recognition.

Check out my story here: https://bit.ly/3LgR1b9

How international cybersecurity frameworks can help CISOs

nielharper

Cyber laws are more than just the actual statutes themselves. It’s the sum of all that a robust cyber-policy framework facilitates. This includes cybersecurity and cybercrime legislation, workforce development strategies, cyber information-sharing (threat intelligence), digital forensics, computer emergency response teams (CERTs), cyber diplomacy, and bilateral agreements, among other facets. “These cyber capabilities along with technology advancements have made us much better at cyber-incident attribution,” says Niel Harper, who’s part of the professional standards working group with the UK Cyber Security Council, member of the board of directors at ISACA, and World Economic Forum Cyber risk working group.

Organizations need to adopt and ‘live’ the right cybersecurity frameworks. “Policies and cyber insurance alone won’t cut it. Executive management and boards need to get smarter so they can ask the right questions about cyber risks and associated economic drivers, business leadership must encourage systemic resilience and collaboration, and ensure that organizational design and resource allocation supports cybersecurity,” Harper says.

For CISOs, everything needs to be framed around cyber-risk management and business strategy alignment, but external collaboration is critical. Public-private partnerships, especially as it pertains to critical national infrastructure protection, are crucial in the fight against cybercrime and so are sectoral and cross-sectoral CERTs and information-sharing mechanisms. “Collaboration allows for organizations to stay ahead of emerging threats and be more proactive on their cyber resilience,” he says.

Many thanks to CSO Online for engaging myself and other privacy and cybersecurity experts to discuss two of my absolute favourite topics – “cyber law” and “cyber policy”. I wanted to further expand on my comments that were quoted in the online article.

There are currently 68 parties to the Budapest Convention and 21 observer countries which are signatories and have been invited to accede. There’s vital international cooperation and collaboration on cybercrime that occurs via mutual legal assistance treaties (MLATs) and through organizations such as INTERPOL, AFRIPOL, ASEANAPOL, EUROPOL, UNODC, and others. But due to the complexity, scale and scope of cybercrime, a lot more can be done. The problem often comes down to the capabilities (or lack thereof) in nation states to effectively participate in international cooperation activities. And frankly, many countries are simply not equipped, hence why we are seeing these safe havens as it pertains to cybercrime. This is the purpose of the Budapest Convention along with several global capacity building initiatives such as GLACY / GLACY+, SIRIUS, EU Cyber Direct, GFCE, and others – To assist nation states in building capacity in areas such as national cyber security strategy, cybercrime legislative reform, computer emergency response teams (CERTs), digital forensics, and access to cross-border electronic evidence (e-evidence), just to name a few.

There’s also the work being done via the UN’s Open Ended Working Group (OEWG) and the Ad Hoc Committee towards a global Cybercrime Convention. The current approach through the Budapest Convention has created a patchwork quilt of cybercrime laws and different levels of maturity across the 195 UN Member States. A global Cybercrime Convention is intended to comprehensively harmonise cyber laws and enable agile multilateralism to better tackle cybercrime and enhance coordination and cooperation among nation states.

The Budapest Convention also has several notable limitations. Besides the areas you mentioned, there are material flaws in that it lacks privacy and civil liberties protections; it’s far too broad in its scope and can often implicate innocent individuals such as researchers, activists, and whistleblowers; it’s missing certain protections to prevent it being deployed for political persecution; it fails to require “dual criminality” as a prerequisite for mutual legal assistance (i.e., acts must be illegal in both countries); it gives law enforcement wide and intrusive surveillance powers; and it distorts existing intellectual property regimes by moving away from fair use and public interest objectives. The new UN Cybercrime Convention must resolve these and other issues – if there’s ever consensus across Member States – especially narrowing of the scope, building capacity across Member States, and the inclusion of human rights safeguards.

Cybercrime prevention requires cooperation at many levels – legal as well as technical and political. Many countries have cybercrime laws in place, but the technical skills required to enforce them are missing, and this is across areas such as operational law enforcement, law enforcement administration, support services, and judicial officers. Additionally, in many nations, law enforcement officers (LEOs), police administrators, politicians, and court officers are corrupt, underpaid/overworked, or simply lack the motivation to properly enforce the laws on the books. They are also often bribed or intimidated by criminals. Remember the famous quote by Peter Drucker, “Culture eats strategy for breakfast?” The same applies to effective cybercrime prevention.

How municipalities are dealing with being low-hanging targets for hackers

nielharper

“On cybersecurity veteran Niel Harper’s first day as virtual CISO at a municipal agency, he was thrown immediately into the reality in which cities and town administrations find themselves today — under threat and scrambling to find the resources to fight back.

The new organization, which he asked not to be named for security reasons, came under a massive ransomware attack that encrypted the entire production environment in a matter of hours. The attackers compromised the network via a weak administrative password, encrypted all servers and storage systems, and reset the backup servers to factory settings. “The client had no response plan in place, so I had to build one on the fly,” he says. “I used that experience to create a detailed incident response plan with roles and responsibilities, and then followed up with annual desktop attack simulations.””

Local governments, much like hospitals, schools, and municipal water authorities, are “low-hanging fruit” – organizations that lack the resources to effectively defend themselves against routine cyberattacks, never mind an advanced persistent threat (APT). For threat actors targeting under-resourced local governments, the goal is not necessarily financial reward but instead to broadly disrupt society at the municipal level. A number of successful cyberattacks have severely impacted local governments in recent years. These include attacks on targets ranging from 911 call centres to public school systems to community clinics. The consequences of a successful cyberattack against local government can be debilitating.

Myself and other cybersecurity leaders recently spoke to Deb Radcliff at CSO Online about what local governments can do to better defend themselves against online threat actors, including enhancing recruitment, leveraging available resources from national cybersecurity agencies, and building incident response capabilities, among others.

Check it out!

Caribbean telecoms operators seek to deepen their monopoly strangleholds

nielharper

This past Friday, Caribbean telecommunications operators held a meeting in Miami to fine tune their strategy to have Big Tech companies contribute financially to regional telecoms network infrastructure. Hosted by the Caribbean Telecommunications Union (CTU), and taking a similar perspective to the “fair share” proposal currently being debated in the European Union, regional network operators are arguing that over-the-top (OTT) service providers such as Meta (Facebook, Instagram and WhatsApp), Alphabet (Google), TikTok, Netflix, Amazon and Microsoft are responsible for 67 per cent of the total Internet traffic in the Caribbean, but make no contributions or investments toward local delivery networks. Moreover, they further asserted that a market failure is occurring with resultant stalled revenues for telcos, and limited prospects for future growth.

This “fair share” argument is literally reviving antiquated telecoms regulations from the era of the public switched telephone network (PSTN) and circuit switched networks. There is no evidence that a real problem or market failure exists in the Caribbean telecoms sector and there has been no credible evidence warranting the introduction of network fees. I challenge Caribbean network operators to provide conclusive data that shows their networks are over capacity, and that they are financially incapable of investing in their own infrastructure, especially when we consider that consumers are already paying for the use and improvement of their networks (Caribbean consumers are currently subjected to some of the highest mobile data costs in the world) – Hence ISPs effectively want to charge twice for the same infrastructure. The Internet has proven its ability to cope with increasing traffic volumes, changes in demand patterns, technology, business models, as well as in the (relative) market power between market players. These developments are reflected in the Internet Protocol (IP) interconnection mechanisms governing the Internet which evolved without a need for regulatory intervention. There are multiple ways to finance network investments that don’t result in irreparable harm to the Internet’s technical architecture, the rights of consumers, and the overall Internet economy (e.g., joint ventures, private investors, spinning off segments into separate companies and seeking limited financing, special purpose vehicles based on public infrastructure funds, etc.).

From a technical standpoint, the Internet is based on different networks negotiating simple connection agreements between each other, based on interoperable technical standards. What Caribbean telcos will more than likely achieve – similar to their European counterparts – is where consumers will be restricted to only accessing content and services that are subject to agreements between ISPs and OTTs, and the quality and conditions of the content delivery will also be subject to the negotiated commercial arrangements. The technical danger of requiring network fees will invalidate the global and open Internet model for permissionless innovation and can lead to a highly fragmented Internet. It is a terrible policy suggestion for our region, and for the Internet as a whole, to suggest ‘rules’ that seek to artificially regulate how IP networks are managed.

This proposal also presents a rights-based threat to Internet users across the Caribbean. One of the most sacrosanct rules of the Internet is ‘net neutrality’, which is that Internet service providers (ISPs) must enable access to all content and applications regardless of the source, and without favouring or blocking specific websites or services. Given that ISPs also own what is known as the “last mile” (the physical connectivity to our homes), they can filter what content or services we are able to access, as well as determine the quality of our access. They can do so by blocking content, throttling network performance, and by introducing prolonged congestion that affects consumers negatively […].

The full article can be found on the CircleID website.

Would love to hear your thoughts on this important topic!

ISACA Board Director Niel Harper Secures a Role on the Professional Standards Working Group of UK Cyber Security Council

nielharper

“The UK Cyber Security Council has announced that Niel Harper, a cybersecurity executive and member of the ISACA Board of Directors, has secured a role in its Professional Standards Working Group. This appointment is an important recognition of Harper’s expertise and contributions to the field of cybersecurity.”

Workforce development is critically important to the security and resilience of nation states (and organizations as a matter of fact). There is diversity in the breadth and depth of cyber security skills required across government. These include deep technical skills and the non-technical cyber security skills that are needed across other specialisms and professions, such as digital, policy, commercial and assurance.

Guided by the standards and pathways established by the UK Cyber Security Council, the UK government will develop its understanding of the range of cyber security skills and knowledge required across government and will respond accordingly, ensuring that its workforce is inclusive and diverse.

I am honoured to have been chosen to join the Professional Standards Working Group of the UK Cyber Security Council. Collaborating with top experts in the field to shape the future of cybersecurity standards in the UK is an exciting opportunity.

No, We Don’t Need Generative AI Meddling in Our CI/CD Pipelines!

nielharper

Infosecurity Magazine recent published an articled titled ‘ChatGPT Leveraged to Enhance Software Supply Chain Security.’

In the article, Neatsun Ziv, CEO and co-founder of OX Security, said that the utilisation of AI tools will provide faster and more accurate data to developers compared to other tools, allowing them to repair security issues far more easily. Harman Singh, managing director and consultant at Cyphere, said that he expects ChatGPT and other generative AI models to make accuracy, speed and quality improvements to the vulnerability management process.

In my opinion, we really don’t need ChatGPT or other generative AI models writing code or integrated into vulnerability management processes. These tools are way too rudimentary and unreliable for such important tasks.

We need to train software developers on secure coding, for example on general standards like Building Security in Maturity Model (BSIMM), OpenSAMM (Software Assurance Maturity Model), and Open Web Application Security Project (OWASP) and on specific frameworks they use such as Angular, Laravel, Flutter, Ruby on Rails, .NET, and others.

We need strong access controls for repos and pushing updates to repos. We need tooling that creates SBOMs, detects bugs and vulnerabilities in code, and analyses dependencies for vulnerabilities and excessive permissions, among other things. We need effective and repeatable security architecture, patch mgmt and vulnerability mgmt tools and processes. We need software developers who are competent in threat modelling as well as in security by design and privacy design principles.

We DO NOT need generative AI meddling in our CI/CD pipeline and SSDLC (particularly right now)!

Regulating AI Tech is No Longer an Option: It’s a Must!

nielharper

“Responsible, ethical use of AI is the key. From a corporate perspective, business leaders need to articulate why they are planning to use AI and how it will benefit individuals. Companies should develop policies and standards for monitoring algorithms and enhancing data governance and be transparent with the results of AI algorithms. Corporate leadership should establish and define company values and AI guidelines, creating frameworks for determining acceptable uses of AI technologies.

Achieving the delicate balance between innovation and human-centered design is the optimal approach for developing responsible technology and guaranteeing that AI delivers on its promise for this and future generations. Discussions of the risks and harms of artificial intelligence should always be front and center, so leaders can find solutions to deliver the technology with human, social and economic benefits as core underlying principles.”

I recently wrote a short piece on the ISACA Now Blog explaining why a robust framework of laws and regulations are needed for the potential of “AI” to be truly realised.

Check it out and let me know your thoughts!

Digital ID Explained: Pros, Cons, and “Should I get the Trident ID card?”

nielharper

PURPOSE

I continue to receive countless questions from various walks of Bajan society about the Trident ID card and the national digital ID program. This is stark evidence that the Government of Barbados HAS NOT done an adequate and effective job of alleviating the concerns of the public. As such, I wanted to clarify once and for all the pros and cons of digital ID systems, and answer the million dollar question I am repeatedly asked, “Should I get the Trident ID card?”

INTRODUCTION

Digital identity (ID) has become the topic of the moment in Barbados, given the government’s poor implementation, failure to address the fears and anxieties of the public, and generally ineffectual communication to the average person on the street as to why they need digital ID and what value it will bring to their lives. The government has set out to provide a single digital identity to all residents/citizens through the collection, storage, and use of their biographic data (e.g., name, address, date of birth, gender, national registration number, etc.) and possibly their biometrics (e.g., fingerprints, iris scans, facial scans, etc.) as the primary means of establishing and verifying their identity. They will achieve this through a legally mandated, centralised national digital ID system.

Governments, international organizations, and multilateral banks (e.g., International Monetary Fund, World Bank, etc.) argue that digital ID systems provide benefits such as more effective and efficient delivery of government services; poverty reduction and welfare programs; financial inclusion through better access to banking and other products/services; minimise corruption; and preservation of national security interests. Multilateral banks are providing significant funding to developing countries to implement digital ID. In some cases, they’re even making the implementation of digital ID systems a ‘condition’ of loan agreements.

Critics maintain that digital ID systems may actually not guarantee more effective access to social and economic benefits, enhance service delivery, or improve governance, while at the same time, they raise serious issues, including worries about how they are developed and managed; social exclusion and discrimination; privacy and data protection; cybersecurity; and major risks for human rightsWith regards to human rights, they threaten the right to privacy, freedom of movement, freedom of expression, and other protected rights. Additionally, since they usually involve the creation and maintenance of centralised databases of sensitive personal data, they are also prone to breaches by hackers or abuse/misuse by government institutions. These issues may lead to digital IDs becoming widespread tools for identification, surveillance, persecution, discrimination, and control, especially where identities are linked to biometrics and made mandatory. 

For a more detailed explanation of both sides of the debate, please see below the PROS and CONS related to digital ID systems.

PROS

Easier access to services: digital ID systems can enable more efficient digital transformation across the local economy and increase Barbados’  participation in the global digital economy, especially given that many transactions – local and international – require personal identification. With Barbadians presented with less obstacles to prove their identity, commercial activities (including e-commerce) and government services (including e-government) become more accessible and effective.

Faster and cheaper transactions: the use of digital ID can allow for reductions in costs and response times, resulting in speedier execution, less red tape, and the availability of more responsive and relevant services. The quickness and trust with which a person’s identification can be verified allows for cheaper and more efficient interactions for all involved.

Fraud reduction: digital ID systems can offer several benefits in terms of online security, thus reducing the occurrence of online scams, fraud, and personal data breaches. A number of countries that have implemented digital ID have experienced significant decreases in fraud, saving them tens and even hundreds of millions of dollars.

The graphic below outlines several ways in which digital ID can be used based on the roles played by organizations and individuals (Source: McKinsey).

The four (4) main areas of direct economic value for individuals have been identified as increased access to financial services, improved employment opportunities, greater agricultural productivity, and time savings. The five (5) highest sources of value for institutions – both the private and public sectors – are cost savings, fraud prevention, increased revenues from goods and services, improved employee productivity, and higher tax revenues.

CONS

Privacy and security: digital ID systems process billions of data points of our private information, regularly without our consent or knowledge. This information can include biographic details (NGN, date of birth, gender), biometrics (facial recognition, iris scans, fingerprints), banking and transactional data, and location-based info when digital ID is used for example in public transportation (the government has expressed plans to use the Trident ID for cashless payments on buses). The centralisation of so much data, excessive sharing of personal data without user consent, inability to control your personal data, exposure to cyber attacks and data breaches, and in worst case scenarios – mass surveillance by corporations and governments – are all issues which show the potential negative impact of digital ID.

Discrimination, biases and exclusion: the Barbados Digital Identity Act has a number of clauses which generate concerns about discrimination and exclusion. The Act states in several places that the digital ID will be required for persons to be added to the register of voters, to vote in elections, to access public and private services, and to obtain a driver’s license. There are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded (e.g., the Trident ID website currently DOES NOT have several accessibility features for the disabled). Digital ID technologies are also at the end of the day developed by humans, and through poorly designed algorithms and data analytics, can reinforce their biases. Discrimination against key communities such as immigrants, LGBTQ+, homeless, and the disabled, among others have been highlighted in many digital ID related studies globally.

Technical errors: unintended consequences can occur that lead to restricted access to critical services (e.g., failures in authentication at points of service with no redundancy; websites that aren’t user friendly or stable; duplicate or inaccurate records; inability to add essential information; or the lack of reliable technical support, etc.). The government must fully consider availability risks and identify user-centric and privacy-enabling solutions to mitigate them. In African and Asian countries, numerous instances of technical errors were uncovered which presented citizens with major challenges.

Deployment challenges: five key problems exist, which are the lack of funding to maintain secure cyber systems and to hire or retain critical human resources to administer them; unequal access to mobile Internet and smartphones – the technology with the most potential to drive the uptake of digital ID; dependency on a specific technology or vendor; low trust in government; and the difficulty of rolling out in rural areas.

SHOULD YOU GET THE TRIDENT ID CARD?

As I have stated before, my concern is not particularly with the Trident ID card. The card is only one small piece of the overall digital ID ecosystem. My biggest concerns are as follows:

Poor legislation underpinning the digital ID system: Digital ID must be supported by a legal and regulatory framework that supports trust in the system, prevents abuse such as warrantless and disproportionate surveillance, guarantees data privacy and security, prevents discrimination, and maintains provider (government and corporations) accountability. This includes laws for digital ID management along with laws and regulations for e-government, privacy and data protection, computer misuse, data sovereignty/localisation, electronic transactions, limited-purpose ID systems, accreditation of participants, and freedom of information, among others. Unfortunately, a number of these laws are not available in Barbados at this time, and where they are, the language is problematic, enforcement is deeply lacking, or the legislation is outdated.

Government’s atrocious record in terms of protecting IT systems and the personal data privacy of individuals: The Government of Barbados DOES NOT have the resources (people, processes, or technologies) to secure complex IT systems and provide consistent privacy-enabling solutions. If they did, there would not be so many successful cyber-attacks and data breaches of government online systems in recent years (e.g., Queen Elizabeth Hospital, Ministry of Information and Smart Technology, Immigration Department, Barbados Police Service, and many others). Until government invests significantly in building their capacity in these areas, their IT systems and the personal data of Barbadians will be AT RISK.

The communication (or lack of) by government addressing the public angst around their digital ID program: Government has not effectively articulated the benefits of digital ID, its value to the average person on the street (in real and meaningful terms), its potential disadvantages and risks, what they are doing to manage these risks, and what Barbadians can do to protect themselves. Instead they have chosen to evade questions, avoid public discussion with experts involved, and turn their resources towards attacking private citizens who are expressing concerns.

In 2018, I conducted a European Union (EU) cybersecurity assessment for the the Government of Barbados. In the report, I clearly stated:

Trust in the Internet and in the use of online services is critical to developing a thriving local Internet economy and to participating widely in the global digital economy. Low trust in the Internet, e-government services, and e-commerce services hampers the government, businesses and consumers from fully taking advantage of all the economic benefits the Internet has to offer. Given the high fixed broadband and mobile data penetration rates in Barbados, this is especially concerning.

European Union Consultancy to Develop a Government Cybersecurity Assessment and Strategic Roadmap – Cybersecurity Assessment Report (Authored by Niel Harper)

From 2018 to this present day, the government has failed to address the low levels of trust or their lack of expertise in delivering secure and privacy respecting IT solutions, all of which are undoubtedly preventing them from delivering their digital transformation and modernisation agenda (including the implementation of the digital ID).

Ultimately, Barbadians need to decide for themselves if the value of obtaining the Trident ID outweighs the associated risks. I cannot make this decision for anyone. All I can do is educate and build awareness, and try to put some pressure on the government to be more accountable and take greater responsibility for protecting citizens from the negative effects of digital ID, mass personal data processing, cyber attacks and data breaches, human rights violations, online fraud, and other harms resulting from widespread government use of information and communication technologies (ICTs).

ADDITIONAL RESOURCES

FACT CHECK: The Electoral and Boundaries Commission’s Response

Why the Barbados Election Least Data Leak is Problematic – And How It Could Have Been Prevented

Comments on the National Identity Management System Act

Too Many Unanswered Questions: The Barbados National Digital Identification

Creating a good ID system presents risks and challenges, but there are common success factors

What is a digital identity ecosystem?

Understanding the risks of Digital IDs