Tag: Online surveillance

Barbados’ Digital Aspirations: A Reality Check

nielharper

In a recent Barbados Today article, the CEO of the newly minted GovTech Barbados stated with confidence that the country is “on the brink of a sweeping digital transformation, with a particular focus on enhancing its cybersecurity infrastructure.” While the ambition is commendable, it’s crucial to examine these claims with a critical eye. As someone deeply involved in the tech sector for almost 30 years, I find several elements of this grand vision questionable at best, and potentially misleading at worst.

The ‘Conundrum’ of the Tier 3 Data Center

The government’s plan to establish a Tier 3 National Data Center sounds impressive on paper. However, this claim ignores several fundamental realities of Barbados’ infrastructure, market conditions, and human capacity.

Costs

With a monopoly electric company serving the entire island, is it even possible to achieve the redundancy and reliability required for a Tier 3 facility in a cost effective manner? Tier 3 data centers demand multiple, independent power distribution paths. In the Uptime Institute tier model, onsite power is the only reliable source of power – it is completely within the span of control of the organization, with no conflicting external entity’s profitability goals. Given the high costs of commercial power in Barbados ($0.33 per KWh – one of the highest in the world), and the even higher costs associated with operations and maintenance for onsite generated power, has the government properly assessed the overall costs of delivering the power requirements for a Tier 3 data center?

In addition, a Tier 3 data center requires the installation of redundant systems in terms of uninterrupted power (UPS), direct current battery plants, diesel-based power generators, and HVAC systems, including heating (H), ventilation (V) and precision air conditioning (AC). Below is an overview from Kio (a global data center company) in US dollars of the costs of building out such facilities.

With regards to network connectivity, a Tier 3 data center must have multiple Internet service provider connections and dedicated fiber optic cabling. This is particularly challenging as telecoms costs in Barbados are phenomenally high when compared to the global average. Furthermore, a mile of fiber optics can cost upwards of $250,000 USD. Then there are the incremental costs for perimeter control/fencing, access control systems, metal detectors, video monitoring, fuel tanks, telecoms grounding and lightning protection, fire suppression, racking hardware, networking equipment, server infrastructure, tier certification, etc. I will address the costs for staffing in greater detail in the next section.

The capital expenditure (CapEx) and operational expenditure (OpEx) can quickly skyrocket. My conservative estimation is CapEx of approximately USD$20 million for the greenfield build-out of the Tier 3 facility and USD$5-10 million in annual OpEx to successfully run it.

Taking into consideration that Tier 3 data centers usually have a commercial model, it would be good if the government can explain to the general public how the build-out is being funded, whether taxpayers will be expected to cover the costs, will more loans and increased debt be involved, how will the return on investment (ROI) be achieved, what does the total cost of ownership (TCO) look like over a 5-10 year period, and other related financing and cost recovery details.

Talent

Another area worth a deeper dive is the talent associated with the operations and maintenance of a Tier 3 data center. For operational sustainability, staffing must be divided into three (3) categories.

  • Headcount: The number of personnel needed to meet the workload requirements for specific maintenance activities and shift presence. Assuming a 24x7x365 operation, headcount will be needed to cover daily administration, preventative maintenance, corrective maintenance, vendor support, project support, and tenant work orders.
  • Qualifications: The degrees, certifications, technical training, and experience required to properly maintain and operate the wide array of installed infrastructure.
  • Organization: The reporting structure for escalating issues or concerns, with roles and responsibilities defined for each group.

Most of the persons on-island that meet these requirements are employed by Digicel, Flow, or commercial banks. The remaining talent would have to be sourced from overseas. What is the government’s strategy for attracting and retaining this level of talent? How will they do so in a fiscally responsible manner? Has a skills gap analysis been performed for the public sector? Is there a talent management and professional development plan to ensure that this digital initiative is adequately resourced from the human capital perspective? 

Environmental Impact

Data centers are responsible for an enormous negative environmental impact: their gluttonous annual consumption of electricity, greenhouse gas emissions, heavy water consumption, generation of toxic electronic waste, and other types of direct and indirect ecological harms are of a major concern. In conformity with the United Nations Sustainable Development Goals (UN SDGs), the potential environmental impact of data centers should be numerically assessed to compare to the environmental capacity and chart a plan towards sustainability.

Has the government completed an environment impact assessment (EIA) for the data center facility? Have they engaged surrounding residents to discuss the known issues with data centers, including noise pollution and drought risks? Given the government’s commitment to climate change, what are their plans for the Tier 3 facility vis-a-vis carbon-neutrality, carbon offsetting, and investment in renewable energy systems like wind and solar? What is the government’s broader toxic electronic waste disposal strategy? 

The “Sovereign Cloud” Misnomer

The term “sovereign cloud” has been tossed around, but it appears to be more buzzword than substance. In the tech world, a sovereign cloud typically refers to public cloud services that treat workloads as if they’re in the client’s home country, even when physically hosted elsewhere.  Sovereignty requirements mandate that customers’ usage of what’s typically understood as public cloud must be immune from the impact of foreign laws and mandates; sovereignty overall is then a key requirement for consideration alongside other controls requirements such as security, resilience, data residency, and privacy. These factors generally apply when a government or international organization is purchasing services from an overseas-based cloud provider.

What GovTech Barbados is proposing is simply a government-owned data center located on Bajan soil. It’s inherently sovereign, but a “sovereign cloud” it isn’t – it’s just a standard approach to local data hosting. By misusing this term, are they trying to make a normal infrastructure upgrade sound more innovative than it really is?

The vast majority of the government’s public sector computing environment is based on traditional client-server architecture and on-premise data processing. There’s nothing specifically “cloud-centric” about it. Bearing that in mind, it would be good to better understand the government’s future state cloud architecture. How will cloud-related skills be obtained in the public sector where they currently don’t exist? What’s the overall enterprise architecture model? How will they transform deeply antiquated, siloed and fragmented government systems into a cohesive architecture premised upon modern cloud technologies? What cloud solutions will be used for orchestration, observability, infrastructure, databases, etc.? How will existing infrastructure and applications be refactored to be cloud native? Is their approach based on private cloud, public cloud, or multi-cloud? Have disaster recovery needs been considered? Has the partner/vendor ecosystem been defined? What about third-party risk management (TPRM)? These questions and more need to be answered.

The last 2 questions are especially pertinent given the announced partnerships with Promotech and Fortinet – The former (Promotech) is a consumer electronics retailer with zero credentials in deploying complex, secure, enterprise-scale technologies and the latter (Fortinet), while a solid cybersecurity solutions vendor, requires advanced expertise to properly deploy and manage their equipment. Fortinet is also known to be quite expensive in terms of professional services and they have had a number of security issues in recent times.

Cybersecurity: Promises vs. Reality

The government’s emphasis on cybersecurity is not new. In fact, it’s a tune we’ve been hearing from as far back as 2012. Over the last 10 years, the Government of Barbados has received substantial funding from various international bodies to enhance its cybersecurity posture. Yet, where is our national cybersecurity unit? Why is our cybersecurity maturity so low compared to other developing countries such as Botswana, Cuba, Ethiopia, Ghana, Guyana, Jamaica, and Kenya, among others?

And despite numerous cybersecurity assessments, strategies, and roadmaps conducted by international organizations (e.g., ITU, OAS, European Commission, etc.), we seem no closer to establishing a robust cybersecurity framework than we were a decade ago. 

In the International Telecommunications Union’s (ITU’s) recently released 2024 Global Cybersecurity Index, Barbados scored quite poorly against the Americas regional average (see below).

With this ITU ranking as a backdrop, it has to be said that the GovTech Barbados announcement feels like déjà vu. What’s different this time? How can we trust that these plans will materialize when similar promises have fallen flat repeatedly? Amidst the talk of setting up a national cybersecurity unit, is Mr. Boyce aware that the responsibility for national cybersecurity lies with the Barbados Defence Force (BDF) Cyber Unit? Has he consulted with anyone on what was the mandate, scope, and lessons learned from the government’s failed Cyber Security Working Group (CSWG)? Has someone told him that in recent years, a Barbados Computer Emergency Response Team (BCERT) was funded by international donors, an office location and equipment was setup, but the CERT was never staffed or actually operational? To be frank, he seems quite unaware of what has transpired in the nation’s cybersecurity landscape over the past 5-7 years.

The Spectre of Abuse, Censorship, and Exclusion

While the government touts the benefits of centralized digital infrastructure, we must also consider its darker implications. A nationally controlled data center, pervasive e-government systems, and fully integrated identity-based platforms can easily become powerful tools for abuse of authority, mass surveillance, and oppression. These risks are even more pronounced with GovTech’s proposed use of artificial intelligence (with no regulatory safeguards) and the government’s insistence on implementing poorly drafted and potentially rights-violating cybercrime laws.

Myself and others have raised serious concerns, including worries about how new citizen-centered digital services are developed and managed; social exclusion and discrimination; privacy and data protection; cybersecurity; and major risks for human rights. In the context of human rights, the risks are related to the right to privacy, freedom of movement, freedom of expression, and other protected rights. For example, GovTech has stated that they plan on “releasing certain public datasets” in order “to spur the development of new products and services from local tech companies.” Government must be transparent on whether or not personal data will be involved and how these decisions align with the Data Protection Act, including what risk assessments and security countermeasures will be put into place to prevent material harm to individuals.

With all government data and services funneled through a single point, the temptation for overreach becomes significant. Who will oversee this system? What checks and balances will be in place to prevent abuse? The ability to control information flow and access to digital services could be weaponized against dissenting voices or used to manipulate public opinion.

We must demand clear, legally robust safeguards against such misuse. Without them, our journey towards digital transformation may well become a path to digital authoritarianism.

The Bigger Picture

While digital transformation is undoubtedly crucial for Barbados’ future, we must approach these grand declarations with healthy skepticism. Are we genuinely prepared for the scale of change being proposed? Do we have the necessary infrastructure, expertise, and, most importantly, the political will to see these projects through?

Moreover, in our rush to digitize, are we addressing more fundamental issues? Can we talk about advanced data centers when parts of our island still struggle with basic Internet connectivity? Are affordable Internet and telecoms services even attainable when the regulating functions within the Ministry of Industry, Information, Science and Technology (MIST) and the Fair Trading Commission (FTC) are incapable of delivering core consumer benefits (e.g., consumer protection, service quality, diverse product and services offerings, affordable prices, etc.)? Can we really talk about cybersecurity when breaches of government IT systems are the norm as opposed to the exception? Why are the bulk of e-government services still lacking in accessibility features for the differently abled?

Mr. Boyce emphasized that, “The National Data Centre will allow the government to take a more data-driven approach to governance.” Data centers and data governance are both important for the country’s data-driven future, but they have very different focuses, and the links between the two are tenuous. A data center is a physical facility that is used to house IT infrastructure, applications, and related data. Data centers are designed based on technology components: networks, computing, and storage resources that enable the delivery of shared applications and data. Data governance involves the management of data quality, security, usability, and availability. It is oriented towards people and processes – policies, procedures, roles, and metrics which ensure data is leveraged efficiently and effectively. Data governance can help the government and private corporations make better decisions, reduce costs, and comply with regulations such as the Data Protection Act (DPA), General Data Protection Regulation (GDPR), and others. However, one can have a data center and still have poor data governance or you can have no data center and have strong data governance. There are literally no dependencies of either element on the other.

“A key aspect of the digital transformation plan is to integrate digital services, allowing ministries and departments to collaborate seamlessly. Initiatives such as digital identifiers and signatures will enable citizens to access multiple services through a centralized portal, gov.bb, reducing fragmentation in the current system.” This statement from the CEO of GovTech is quite worrisome. Does he know that over the last 4 years there was an IDB-funded e-Services Project with these same objectives that failed spectacularly? Does he realize that the National Digital ID project – another public sector IT project that was poorly executed – was designed to provide centralized identity-based services to citizens, including digital identifiers and signatures?

The fact remains that IT projects for the Government of Barbados seldom fail due to technology-related issues. The technologies are generally sound and fit for purpose. Leadership-related issues are at the core of these repeated failures. A lack of skills in managing complex, large scale IT projects is also a major factor, which leads to a corresponding inclination to rely instead on outsourcing to consulting firms or a heavy dependence on the professional services arms of vendors. The problem here is that government employees lack the capabilities to manage these third-parties, are unable to meet government-owned deliverables, or impose unrealistic / infeasible requirements on experts that actually know what they’re doing. In addition to the absence of skills for managing large IT efforts in general, there are also huge deficiencies in change management skills in particular.

A Call for Transparency and Realism

As citizens, we deserve more than lofty promises and tech jargon. We need a clear, realistic roadmap for digital transformation that acknowledges our current limitations and outlines concrete steps to overcome them.

Instead of grand visions, let’s start with achievable goals. Develop a strategic roadmap that has a long-term arch and practicality that survives biased political motivations and changes in government administrations. Improve our basic digital infrastructure and access to it for all. Invest in education to build a tech-savvy workforce. Ensure that our legal and regulatory framework supports open, accessible, secure, rights upholding, and citizen-centric digital services. Create governance, risk, and oversight mechanisms which guarantee that projects deliver tangible value, not just headlines.

Barbados has the potential to become a digital leader in the Caribbean, but not through wishful thinking. We need honest assessments, pragmatic planning, and, above all, a commitment to turning words into action. Until then, these digital aspirations will remain just that – unfulfilled aspirations.

Comments on the Barbados Cybercrime Bill (2023)

nielharper

PART II – PROHIBITED CONDUCT

Illegal access

Part II (4) (1-2) is far too broad in its scope and can implicate innocent or well meaning individuals such as cybersecurity professionals, researchers, activists, and whistleblowers. It’s even more problematic where judicial officers aren’t trained to understand how to distinguish criminality from activities that serve the public interest, protect organizations, or advance the cybersecurity profession.* Certain guidance should be included with the legislation to distinguish between acceptable and criminal behaviours.

For example, the European Union (EU) General Data Protection Regulations (GDPR) includes 172 recitals – also known as preamble – that provides context and explains the reasons for the regulations. There was also an explanatory memorandum that provided further details on the proposed legislation.

Misuse of devices

Part II (9) (a-b) There are a number of dual use programmes and applications which can be and are used for both legitimate testing and protection of computer systems and conversely for malicious intent. There should be language here which acknowledges such and removes criminality in cases of ethical hacking for instance.

Disclosure of access codes

Part II (11) (1) There are several legitimate reasons for sharing access codes or credentials without authority, and this alone should not be illegal. The qualifier for criminality should be when the individual knowingly or has reason to believe that it is likely to cause loss, damage or injury to any person or property.

Critical information infrastructure system

Part II (12) (1) The list of critical information infrastructure (CII) systems is too limited in scope. A broader list should be published as an appendix or guidance note when the act is proclaimed (e.g., financial services, water utility, transportation, healthcare, hospitality, etc.). This should not be vague or left up to interpretation.

Note: Complementary critical infrastructure (CI) protection legislation is needed to ensure that:

  • There is a legal framework or a mechanism to identify operators of critical information infrastructure.
  • Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • Public sector organizations are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.

Malicious communications

Part II (19) (3) This is deeply problematic and can be used to stifle freedom of expression or valuable public commentary. It can also be leveraged to prevent criticisms of politicians/public personalities or for the purpose of political persecution. This same vague language exists in the Computer Misuse Act 2005, and has been improperly used for the same abuses identified. There must be safeguards and/or independent supervision in place to ensure that such vague clauses are not abused. This applies to several other elements of this Bill.**

Cyber bullying

Part II (20) (1) – Same as the previous comment.

Cyber terrorism

Part II (21) (1-2) This is too limited in scope and should include any use of computer systems for terrorism or organized crime. It should also include preparatory acts for terrorism or organized crimes (these are not the crimes themselves but the precipitating actions).

PART III – INVESTIGATION AND ENFORCEMENT

Search and seizure

Part III (23) (1-2) gives law enforcement excessively broad powers when it comes to confiscation and access to computer systems (including smaller form factors such as tablets and mobile phones). These types of powers require independent and effective oversight functions (as does this entire Act).

Assisting a police officer

Part III (24) (1-5) Some of the provisions in this section are concerning and can be used to force individuals to grant access to their personal devices, especially in the event that the grounds for disclosure have not been met. Again, this requires independent and effective oversight functions, and the oath of a police officer shouldn’t be enough to obtain a warrant that grants such far reaching powers.

Production of data for criminal proceedings

Part III (26) (1) This gives law enforcement excessively broad and intrusive surveillance powers when it comes to intercepting Internet communications, compelling service providers to handover subscriber data and Internet activity, and other potentially disproportionate collection or interception of online communications. These types of powers require independent and effective oversight functions. Again, the oath of a police officer shouldn’t be enough to obtain a warrant that allows for such intrusive acts.

Preservation of data for criminal proceedings

Part III (28) (1-3) There is no discussion of the conditions and safeguards for adequate protection of human rights and liberties when collecting and storing (preservation) data for criminal proceedings. This includes maintaining the “chain of custody”, protection of personal data in line with the Data Protection Act, handling of sensitive data, retention periods, adequate security measures, automated decisions (e.g., use of AI), sharing personal or sensitive data with third-parties, records of how data is accessed and used, etc. The provisions should also include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

General observations – Part III

Part III (Investigation and enforcement) is missing key provisions related to:

  • Joint investigations or joint investigation teams
  • Expert witness testimony by video conferencing
  • Emergency mutual assistance (which is different to expedited disclosure)

ALIGNMENT WITH THE BUDAPEST CONVENTION

2nd Protocol of the Budapest Convention

It is clear that the Cybercrime Bill was patterned after the Council of Europe’s (CoE) Budapest Convention, which has been deemed as outdated or deficient for several reasons. The Additional Protocol and the Second Additional Protocol of the Budapest Convention treat additional issues around racism, xenophobia, enhanced cooperation, and access to electronic evidence (e-evidence). The drafters of this Bill do not appear to have integrated the substantive updates from the additional protocols or consider the protections and safeguards required by the Budapest Convention to protect human rights. So it looks like the government is essentially looking to enact legislation that is outdated and not in step with current technology developments or evolving jurisprudence.

* Training of judicial officers, especially with regards to technology law and privacy law, is a major problem in the country. Because these specialist areas of law are emerging, there is poor understanding of the issues by magistrates, judges, prosecutors, etc. and limited case law to refer to locally or in other regional jurisdictions. Consequently, many rulings / decisions have flawed bases, and individuals are often under- or over-penalised.

** The Budapest Convention, on which the Cybercrime Bill is based has an accompanying 60-page explanatory report that specifies the additional checks and balances and rule of law-based environment that countries like Barbados should have underpinning their cybercrime legislation. The explanatory report also covers the background, scope, objectives, and main provisions of the Convention, as well as the challenges and opportunities of cybercrime.

The current version of the Cybercrime Bill (2023) can be found here: https://bit.ly/3uLrSQC

UPDATE: On 6 May 2024, I presented a more detailed critique of the Cybercrime Bill to the Parliamentary Joint Select Committee. The presentation can be found HERE.

Regulating AI Tech is No Longer an Option: It’s a Must!

nielharper

“Responsible, ethical use of AI is the key. From a corporate perspective, business leaders need to articulate why they are planning to use AI and how it will benefit individuals. Companies should develop policies and standards for monitoring algorithms and enhancing data governance and be transparent with the results of AI algorithms. Corporate leadership should establish and define company values and AI guidelines, creating frameworks for determining acceptable uses of AI technologies.

Achieving the delicate balance between innovation and human-centered design is the optimal approach for developing responsible technology and guaranteeing that AI delivers on its promise for this and future generations. Discussions of the risks and harms of artificial intelligence should always be front and center, so leaders can find solutions to deliver the technology with human, social and economic benefits as core underlying principles.”

I recently wrote a short piece on the ISACA Now Blog explaining why a robust framework of laws and regulations are needed for the potential of “AI” to be truly realised.

Check it out and let me know your thoughts!

Digital ID Explained: Pros, Cons, and “Should I get the Trident ID card?”

nielharper

PURPOSE

I continue to receive countless questions from various walks of Bajan society about the Trident ID card and the national digital ID program. This is stark evidence that the Government of Barbados HAS NOT done an adequate and effective job of alleviating the concerns of the public. As such, I wanted to clarify once and for all the pros and cons of digital ID systems, and answer the million dollar question I am repeatedly asked, “Should I get the Trident ID card?”

INTRODUCTION

Digital identity (ID) has become the topic of the moment in Barbados, given the government’s poor implementation, failure to address the fears and anxieties of the public, and generally ineffectual communication to the average person on the street as to why they need digital ID and what value it will bring to their lives. The government has set out to provide a single digital identity to all residents/citizens through the collection, storage, and use of their biographic data (e.g., name, address, date of birth, gender, national registration number, etc.) and possibly their biometrics (e.g., fingerprints, iris scans, facial scans, etc.) as the primary means of establishing and verifying their identity. They will achieve this through a legally mandated, centralised national digital ID system.

Governments, international organizations, and multilateral banks (e.g., International Monetary Fund, World Bank, etc.) argue that digital ID systems provide benefits such as more effective and efficient delivery of government services; poverty reduction and welfare programs; financial inclusion through better access to banking and other products/services; minimise corruption; and preservation of national security interests. Multilateral banks are providing significant funding to developing countries to implement digital ID. In some cases, they’re even making the implementation of digital ID systems a ‘condition’ of loan agreements.

Critics maintain that digital ID systems may actually not guarantee more effective access to social and economic benefits, enhance service delivery, or improve governance, while at the same time, they raise serious issues, including worries about how they are developed and managed; social exclusion and discrimination; privacy and data protection; cybersecurity; and major risks for human rightsWith regards to human rights, they threaten the right to privacy, freedom of movement, freedom of expression, and other protected rights. Additionally, since they usually involve the creation and maintenance of centralised databases of sensitive personal data, they are also prone to breaches by hackers or abuse/misuse by government institutions. These issues may lead to digital IDs becoming widespread tools for identification, surveillance, persecution, discrimination, and control, especially where identities are linked to biometrics and made mandatory. 

For a more detailed explanation of both sides of the debate, please see below the PROS and CONS related to digital ID systems.

PROS

Easier access to services: digital ID systems can enable more efficient digital transformation across the local economy and increase Barbados’  participation in the global digital economy, especially given that many transactions – local and international – require personal identification. With Barbadians presented with less obstacles to prove their identity, commercial activities (including e-commerce) and government services (including e-government) become more accessible and effective.

Faster and cheaper transactions: the use of digital ID can allow for reductions in costs and response times, resulting in speedier execution, less red tape, and the availability of more responsive and relevant services. The quickness and trust with which a person’s identification can be verified allows for cheaper and more efficient interactions for all involved.

Fraud reduction: digital ID systems can offer several benefits in terms of online security, thus reducing the occurrence of online scams, fraud, and personal data breaches. A number of countries that have implemented digital ID have experienced significant decreases in fraud, saving them tens and even hundreds of millions of dollars.

The graphic below outlines several ways in which digital ID can be used based on the roles played by organizations and individuals (Source: McKinsey).

The four (4) main areas of direct economic value for individuals have been identified as increased access to financial services, improved employment opportunities, greater agricultural productivity, and time savings. The five (5) highest sources of value for institutions – both the private and public sectors – are cost savings, fraud prevention, increased revenues from goods and services, improved employee productivity, and higher tax revenues.

CONS

Privacy and security: digital ID systems process billions of data points of our private information, regularly without our consent or knowledge. This information can include biographic details (NGN, date of birth, gender), biometrics (facial recognition, iris scans, fingerprints), banking and transactional data, and location-based info when digital ID is used for example in public transportation (the government has expressed plans to use the Trident ID for cashless payments on buses). The centralisation of so much data, excessive sharing of personal data without user consent, inability to control your personal data, exposure to cyber attacks and data breaches, and in worst case scenarios – mass surveillance by corporations and governments – are all issues which show the potential negative impact of digital ID.

Discrimination, biases and exclusion: the Barbados Digital Identity Act has a number of clauses which generate concerns about discrimination and exclusion. The Act states in several places that the digital ID will be required for persons to be added to the register of voters, to vote in elections, to access public and private services, and to obtain a driver’s license. There are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded (e.g., the Trident ID website currently DOES NOT have several accessibility features for the disabled). Digital ID technologies are also at the end of the day developed by humans, and through poorly designed algorithms and data analytics, can reinforce their biases. Discrimination against key communities such as immigrants, LGBTQ+, homeless, and the disabled, among others have been highlighted in many digital ID related studies globally.

Technical errors: unintended consequences can occur that lead to restricted access to critical services (e.g., failures in authentication at points of service with no redundancy; websites that aren’t user friendly or stable; duplicate or inaccurate records; inability to add essential information; or the lack of reliable technical support, etc.). The government must fully consider availability risks and identify user-centric and privacy-enabling solutions to mitigate them. In African and Asian countries, numerous instances of technical errors were uncovered which presented citizens with major challenges.

Deployment challenges: five key problems exist, which are the lack of funding to maintain secure cyber systems and to hire or retain critical human resources to administer them; unequal access to mobile Internet and smartphones – the technology with the most potential to drive the uptake of digital ID; dependency on a specific technology or vendor; low trust in government; and the difficulty of rolling out in rural areas.

SHOULD YOU GET THE TRIDENT ID CARD?

As I have stated before, my concern is not particularly with the Trident ID card. The card is only one small piece of the overall digital ID ecosystem. My biggest concerns are as follows:

Poor legislation underpinning the digital ID system: Digital ID must be supported by a legal and regulatory framework that supports trust in the system, prevents abuse such as warrantless and disproportionate surveillance, guarantees data privacy and security, prevents discrimination, and maintains provider (government and corporations) accountability. This includes laws for digital ID management along with laws and regulations for e-government, privacy and data protection, computer misuse, data sovereignty/localisation, electronic transactions, limited-purpose ID systems, accreditation of participants, and freedom of information, among others. Unfortunately, a number of these laws are not available in Barbados at this time, and where they are, the language is problematic, enforcement is deeply lacking, or the legislation is outdated.

Government’s atrocious record in terms of protecting IT systems and the personal data privacy of individuals: The Government of Barbados DOES NOT have the resources (people, processes, or technologies) to secure complex IT systems and provide consistent privacy-enabling solutions. If they did, there would not be so many successful cyber-attacks and data breaches of government online systems in recent years (e.g., Queen Elizabeth Hospital, Ministry of Information and Smart Technology, Immigration Department, Barbados Police Service, and many others). Until government invests significantly in building their capacity in these areas, their IT systems and the personal data of Barbadians will be AT RISK.

The communication (or lack of) by government addressing the public angst around their digital ID program: Government has not effectively articulated the benefits of digital ID, its value to the average person on the street (in real and meaningful terms), its potential disadvantages and risks, what they are doing to manage these risks, and what Barbadians can do to protect themselves. Instead they have chosen to evade questions, avoid public discussion with experts involved, and turn their resources towards attacking private citizens who are expressing concerns.

In 2018, I conducted a European Union (EU) cybersecurity assessment for the the Government of Barbados. In the report, I clearly stated:

Trust in the Internet and in the use of online services is critical to developing a thriving local Internet economy and to participating widely in the global digital economy. Low trust in the Internet, e-government services, and e-commerce services hampers the government, businesses and consumers from fully taking advantage of all the economic benefits the Internet has to offer. Given the high fixed broadband and mobile data penetration rates in Barbados, this is especially concerning.

European Union Consultancy to Develop a Government Cybersecurity Assessment and Strategic Roadmap – Cybersecurity Assessment Report (Authored by Niel Harper)

From 2018 to this present day, the government has failed to address the low levels of trust or their lack of expertise in delivering secure and privacy respecting IT solutions, all of which are undoubtedly preventing them from delivering their digital transformation and modernisation agenda (including the implementation of the digital ID).

Ultimately, Barbadians need to decide for themselves if the value of obtaining the Trident ID outweighs the associated risks. I cannot make this decision for anyone. All I can do is educate and build awareness, and try to put some pressure on the government to be more accountable and take greater responsibility for protecting citizens from the negative effects of digital ID, mass personal data processing, cyber attacks and data breaches, human rights violations, online fraud, and other harms resulting from widespread government use of information and communication technologies (ICTs).

ADDITIONAL RESOURCES

FACT CHECK: The Electoral and Boundaries Commission’s Response

Why the Barbados Election Least Data Leak is Problematic – And How It Could Have Been Prevented

Comments on the National Identity Management System Act

Too Many Unanswered Questions: The Barbados National Digital Identification

Creating a good ID system presents risks and challenges, but there are common success factors

What is a digital identity ecosystem?

Understanding the risks of Digital IDs

Comments on the Barbados National Identity Management Systems Act (2021)

nielharper

Dr. Ronnie Yearwood and Niel Harper recently collaborated to provide expert comments on the National Identity Management System Act (2021) just passed by the Government of Barbados. Given that this piece of legislation was quickly passed with no opportunities for public debate or feedback, we felt it necessary to articulate and ventilate some of our key concerns with the statute in its current form.

GENERAL COMMENTS

Disability and Accessibility

  • In line with the obligations under the United Nations Convention on the Rights of Persons with Disabilities, there are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded.

Oversight and Liability

  • There is no mention of a supervisory and oversight body that ensures the digital ID system is used for its intended purposes (to prevent abuse and misuse), to audit and certify the digital ID provider and third-party trust services, to address complaints, and ultimately provide redress.
  • There is no mention of the liability to be assumed by the government or trust services providers to ensure due diligence, transparency and accountability of their operations and services related to the digital ID. The digital ID service provider (Government) and trust services providers should be liable for damage caused to any natural or legal person due to failure to implement robust privacy and security controls or otherwise disadvantage individuals via the delivery of the digital ID system.

Breach notification

  • The Act does not speak to data breach notification and the relationship between this statute and the Data Protection Act (2019) which is critically important.  Furthermore, the Office of the Data Commissioner does not have the staffing or capabilities to oversee the various activities related to large scale data collection and processing.

Comprehensive digital ID ecosystem

  • The Act does not comprehensively cover electronic signatures, electronic seals, time stamps, electronic documents, and website authentication. The legal effect of the above needs to be clearly defined to avoid confusion. Existing practices, standards and legislation exist that can be built upon to address these matters which are integral to a functional digital ID system. Without those features, the Government will essentially be replacing the existing physical ID cards and not truly realizing the value of a digital ID ecosystem that delivers identity, authentication and trust services.

Interoperability

  • The Act does not speak to an interoperability framework that guarantees the digital ID system is built using open standards and can be seamlessly integrated into national and cross-border digital identity ecosystems.

SPECIFIC COMMENTS

Discrimination and equality before the law

Section 5 (9) “A person who is a visitor shall not be eligible for registration in the National Register unless that person is a person to whom subsection (1) applies.

(Section 5(1) covers persons, for example born in Barbados or citizens of Barbados who “shall be registered in the National Register.”)

  • The point is that a person who is a visitor to Barbados shall not be eligible for registration in the National Register unless section 5(1) applies.
  • Is it that only Barbadians and persons resident in Barbados must register to gain access to public services (see section 5(10)) regarding the fact that if you are not registered under the Act you cannot get a national registration number, cannot be added to the electoral register to vote, cannot obtain a permit to drive, or qualify to access any goods or services requiring presentation of the ID?
  • This looks somewhat discriminatory because the same requirement does not seem to be placed on foreigners for any access to services. I have not seen a reason for this proposed by the government.

(Also see section 12(1) reads: “A person who is issued an identification card may be required to produce his identification card (c) for the purpose of voting in an election in Barbados; (d) for the purpose of accessing goods or services provided by the Government or the private sector… and that identification card shall be prima facie evidence of the identity of the person shown on the identification card…”)

Voter’s rights, registration and identification

Section 5(10)(d) “A person who is not registered under this Act shall not qualify to be added to the register of electors or the revised register of electors prepared under the Representation of the People Act, Cap. 12

Section 34(1) An identification card authorised under section 25 of the Representation of the People Act, Cap. 12 or under the Statistics Act, Cap. 192 shall remain valid for a period of 12 months from the date of the commencement of this Act.

  • Therefore, section 34(1) provides that an ID card under the Representation of the People Act shall only remain valid for 12 months from the commencement of the new ID law. When has the Act been commenced?

Section 12(1)(c) “A person who is issued an identification card may be required to produce his identification card for the purpose of voting in an election in Barbados.”

  • This needs clarification as there should be more than one valid piece of identification to enable voters’ rights […]

To read the entire comments document, please click on this link.

You can also find a full copy of the ‘Barbados Identity Management Act’ here.

Too Many Unanswered Questions: The Barbados National Digital Identification (DID)

nielharper

In September 2020, it was widely publicised that the Government of Barbados would be introducing a national digital identification (DID) card. As expected, the announcement and subsequent reports have included the usual public service rhetoric about shifting to a digital economy, delivering social benefits, increasing the efficiency of doing business, and transforming the country into an innovation hub. Putting this flowery political language aside, there are a number of questions that remain unanswered regarding the delivery of the DID project. Questions around clear policy objectives, economic value capture, social impact, technology standards and legal requirements that need to be addressed if Barbadians at-large are to truly profit from this initiative.

To be fair, a DID system represents innumerable benefits to the nation. It will serve as a key foundational element in transitioning to more accurate and efficient online delivery of government services (e-government), enhancing poverty alleviation and welfare services, reducing fraud, increasing financial inclusion, and serving national security interests.

However, without proper implementation, oversight and control, DID can inflict great harm on society, including the government or corporations profiting from the collection and storage of personal data, political manipulation of the electorate, social control of particular groups through surveillance, and restriction of access to uses such as payments, travel, and social media. Additionally, in the absence of a qualified and experienced project management team, it will most definitely be a ‘white elephant’ – a massive waste of public funds that does precious little to improve the lives of citizens. In the ensuing sections, I will provide a detailed analysis of critical risk areas that pertain to digital ID systems and what must be done to successfully alleviate them. 

To read the full article, please click on this link.

No More Obscurity

nielharper

With revenues of $36 billion in 2018, the global video surveillance market is growing exponentially, allowing for every mundane activity to be captured and made publicly accessible. Acclaimed artist Xu Bing reviewed thousands of hours of online surveillance videos and transformed this journey into a story about (in)visibility and today’s culture of permanent exposure.

I joined Xu Bing and Jennifer Lyn Morone in a panel discussion titled ‘No More Obscurity’ at the World Economic Forum 2019 Annual Meeting for New Champions (Summer Davos) in Dalian, China.

Using Xu Bing’s story as a backdrop, we discussed the impact of online surveillance on individual privacy and society as a whole in terms of pervasive monitoring.

Locked Up for Linking? US Journalist Faces Prosecution

nielharper

I have watched with great interest the developments over the course of the last 3-6 months as it pertains to widespread surveillance of Internet users by government agencies. While the NSA surveillance program has been the most publicized, there are reasons to believe that China, India, Pakistan, Russia, Australia and others are conducting similar activities.

One of the things that concerns me most is the double talk coming from most of these countries about “promoting the values and importance of online privacy in the context of basic human rights”. A bad precedent has been set. Let’s just accept this as the reality of things. And unfortunately, this precedent is eating away at some of the basic precepts of Internet growth — trust, openness and user-focused development.

And as you can see from this article, the government actions over the last couple of months has opened a Pandora’s Box in terms of the individual’s right to information, freedom of the press, personal privacy, etc. The implications for the future of the Internet are grave. Let’s just hope that the system is as resilient to political and ideological threats as it is to technological ones.

http://tinyurl.com/pldvwuw