Analysis and commentary
Catherine Riva, Serena Tinari – | Jannes van Roermund
November 25, 2021

Lire l’article en français (en ligne) / Den Artikel auf Deutsch lesen (online)

The use of the Covid-19 certificate today is limited to coronavirus-related statuses. But, as our research and in-depth interviews with specialized researchers show, powerful commercial and governmental players are eager to transform this device into a digital identity wallet (e-ID). Our investigation shows that this shift is underway and induces a profound paradigm change which calls for an urgent societal debate. Unfortunately, this debate is stifled by the regime established in the name of the crisis. Finally, this exclusive by Re-Check shows that the Swiss authorities do not exactly manage the sensitive data of COVID certificates the way they claim.

Many countries have introduced a Covid-19 certificate system which can allow to travel, and in many instances participate to social life, up to being able to work. This three-parts series by Re-Check in collaboration with Dutch investigative journalist Jannes van Roermund digs deeper in the functioning of an unprecedented tool that links medical data to freedom of movement. In this second episode, you’ll learn about some of the players that are working to make e-ID systems implemented worldwide.

The COVID crisis is accelerating the development and the implementation of e-ID systems, that have been since several years pursued and developed by an array of commercial and governmental entities. In this episode, a graphic visualization puts together many different players that have something to do with this historical though potentially concerning development. The public deserves to be informed about these developments.

Analyse et commentaire

As we saw in the first episode of our series, Covid-19 certificates carry a significant risk of “function creep”. One of the possible function creeps for this device coincides precisely with the agenda of powerful interest groups. Since 2020, these private and state actors have been presenting the implementation of the Covid-19 certificate as a gateway to a more comprehensive and more universal device: a wallet for digital identity (e-ID).

Analyse et commentaire

Second episode: What the Covid crisis has to do with e-ID

The digital identity (e-ID or electronic identity) is a digital solution that allows citizens to prove their identity. It functions by linking a unique identifier to a set of attributes stored in digital form (name, date of birth, gender), which are themselves linked to credentials. The e-ID can be used to consult certain documents, but also to access benefits and services provided by authorities, banks and other companies, for mobile and online payments, etc. As stated by the European Commission, e-ID “can guarantee the unambiguous identification of a person and ensure that the right service is provided to the person who is actually entitled to it”.

PwC - Digital identity

Above: e-ID ecosystem by PwC (Digital identity, 2019)

For its supporters, the e-ID would enable a whole ecosystem of products and services, which would make people’s lives much easier. According to consulting firm PwC , ses attributs de base pourraient être complétés par d’autres attributs et d’autres documents (numéro de sécurité sociale, dossiers médicaux, informations biométriques, diplômes scolaires, etc.). its core attributes could be supplemented by other attributes and documents (social security number, medical records, biometric information, school diplomas, etc.). It could serve as a “catalyst for digital transformation” by intervening in countless everyday occasions: opening a bank account, taking out a loan, filing taxes, taking out an insurance policy, etc. Finally, it would lead to substantial savings. According to a report report by the consulting firm McKinsey the extension of full digital ID coverage could unlock economic value equivalent to 3% of GDP in 2030 in advanced economies, with “slightly more than half of the potential economic value accruing to individuals”.

But digital identity has also historically been viewed with great skepticism and reservations by many experts. “While these systems are supposed to be highly secure and trustworthy, they present many privacy and access risks,” say Tommy Cooke of the Surveillance Studies Centre at Queen’s University in Canada and Benjamin J. Muller, Associate Professor in the Department of Political Science at King’s University College, University of Western Ontario. Before stressing that these risks go beyond issues of cybersecurity, responsible governance and organizational accountability: “We encourage everyone to ask themselves this big but important question: what does it mean to digitize identity, and what is the model identity? In other words, what is the model citizen of a digital ID system, and how will their citizen profile be used to develop the data categories and databases needed for verification? As we know, verifiable credentials make statements about people, including their citizenship, gender, legal status, physical attributes, affiliations, and more, there will be many people who, on paper, do not exactly match the model citizen. These individuals could be subject to travel bans, extraordinary scrutiny, or other restrictions on civil rights and liberties simply because they have an extra passport, because they have traveled to certain places, because of their marital status, employment, etc.”

Victims of systems failure and bias

The example of Aadhaar, India, illustrates the problem. In India, e-ID is already a reality for more than one billion people. Aadhaar is now the largest biometric identification system in the world. In addition to serving as a gateway to government services, this system created by billionaire Nandan Nilekani with the support of Mastercard for the payment solution, tracks users’ movements from one city to another, their professional status and their transactions. Enthusiastically presented by Paul Romer, then chief economist of the World Bank, as “the most sophisticated identification program in the world”, Aadhaar also has its flaws, whose consequences can be dramatic. Investigations in 2017, for example, revealed that they had resulted in death cases, because the system had denied food rations or mistakenly paid pensions to the wrong individual, due to authentication failures related to poor connectivity, biometric failure, a server problem, erroneous data linkage, error messages and other technical failures. As a result, 2.5 million people in the northwestern state of Jarkhand were denied their monthly grain ration because the system excluded them.

Unfortunately, the system has not been corrected to prevent future tragic failures. On the contrary, explained Sunita Sheel, an anthropologist and independent bioethics researcher in Mumbai, “things worsened during the pandemic”. “In India, she further points out, the lobby that is critical of this aggressive approach by the state to the introduction of digital technology has been strong and yet there is little difference we could make to adversities that marginalized communities experience on ground and so is the middle class.” Today in India, an individual’s Aadhaar account is linked to all sorts of data and systems: to the PAN (Permanent Account Number), the PDS (Public Distribution System), the Direct Benefit Transfer (DBT), and their bank accounts. “Even getting a new passport is not possible without having Aadhaar, said Sunita Sheel. Purchase and transfer of a property cannot be done without producing/sharing Aadhaar with the concerned authorities.” The researcher acknowledges that “issues relating to data sharing with third parties without meaningful consent of the users of these apps (…) could be somewhat better in regions where legal and governance environments are better”. But that would not necessarily be enough, given the financial stakes associated with this “new oil” that is data, and this “across sectors: health, education, agriculture, pandemic”, concludes Sheel.

In Europe too, Covid-19 certificates regularly fail (1) (2) (3) (4) (5). However, with each failure, it is the certificate holders who find themselves unable to access places that are supposed to be reserved for them. All of these cases illustrate a major problem inherent in such systems: it is always the person whose verification fails who is considered to be in violation – even though the failure may be due to an error or bias in the system design.

The e-ID lobbies have cemented certain beliefs among policymakers. “Smartphones are increasingly seen by authorities as technologies that can fill several gaps simultaneously,” note Tommy Cooke and Benjamin J. Muller. Not only to address the perceived inability to provide public safety, but also to overcome economic hardship.” So, after being the go-to medium for tracking apps, smartphones are now the go-to medium for Covid-19 certificates. “As passports or vaccination certificates are increasingly seen as vital public safety functions, private sector entities such as restaurants, bars, gyms and clubs are now required to ask for proof of identity and vaccination,” the Canadian researchers further remind us. For whom, over the Covid crisis, “the smartphone has become much more than a simple calculator and analysis tool. It is now also a vector of truth in the context of citizenship and health status. Equally important, it is also becoming a vehicle for economic recovery and stimulation.”

As a result of this shift, more and more governments are ready to jump on the e-ID bandwagon and “make it happen” by leveraging the infrastructure put in place for Covid-19 certificates: “Digital identity systems are booming,” confirm Tommy Cooke and Benjamin J. Muller. Shortly before or during the pandemic, many governments around the world (e.g., the United Kingdom, Australia, New Zealand, the European Union, Canada, among others) announced that they would be developing technology systems designed for citizens and organizations to prove their identity, or that they were already in the process of doing so.”

Transformation underway in Switzerland and the EU

The European Commission, for example, is now openly expressing its desire to see the EU’s Covid-19 certificate evolve into an e-ID wallet solution. As Charles Manoury, spokesperson for the European Commission, explained to us: “The template solution made available to the Member States to build apps to store EU DCCs [EU Covid-19 certificate, ed.] are early forms of what can evolve to a fully-fledged digital wallets and work with Member States on this matter will continue in the coming months.”

Yet, when it announced its intention to roll out the Covid-19 certificate in March 2021, the European Commission did not warn its citizens that the “common model developed with Member States to facilitate the recognition of EU paper-based COVID certificates” was intended to evolve into a “fully-fledged digital wallet”. On the contrary. It stated that Covid-19 certificates were “linked to the COVID-19 pandemic”, and the “digital green certificate system” would be “suspended once the World Health Organization (WHO) declares the end of the public health emergency of international concern caused by COVID-19” and could only be reactivated if “if the WHO declares a new international public health emergency caused by COVID-19, a variant of it, or a similar infectious disease”. The prospect of a Covid-19 certificate evolving into a “full-fledged digital wallet” therefore contradicts these assurances of limited use, both in time and in terms of scope.

Switzerland is also participating in this movement with its new e-ID bill. On March 7, 2021, 64.4% of Swiss voters rejected the first e-ID bill. Only three days later, the first efforts to get the ball rolling again were already underway: on March 10, 2021, six motions of identical content were tabled in Parliament, calling for the introduction of a “state-run system that allows people to prove their identity online, in the same way that they can do so in the real world with an ID card or passport. The solution will be able to rely on products and services developed by the private sector, said the text of the identical motions. On the other hand, the granting of e-IDs and the operation of the system will have to be assumed by specialized public services.” Things did not drag on and the consultation ended on 14 October 2021.

By July 2021, lobbying had taken its toll, and the Aargauer Zeitung reported that no one wanted the e-ID before, but Covid had changed the situation. “After a year and a half of the pandemic, the digital world in Switzerland is not the same as it was before Covid. The Covid application and the Covid certificate, created in the same spirit, have laid a new foundation,” said the article, which quoted the enthusiastic words of Gerhard Andrey, a green national councillor. For this IT entrepreneur, the SwissCovid app and the Covid-19 certificate had initiated “a whole new dynamic in Switzerland” and “marked the political mainstream”. In short, “an electronic identity card of similar inspiration could be a hit”, we were told.

Linking immunization status, biometrics and e-ID

One thing is certain: the companies and interest groups that want to impose the e-ID are not just making theoretical considerations and have not waited for the Covid crisis to become active.

This veritable “digital identity industry” has been at work since the early 2010s, and especially since 2014: that was the year the World Bank launched the Identification for Development ID4D. It is supposed to help countries achieve the United Nations Sustainable Development Goal 16.9: “By 2030, provide legal identity for all, including birth registration.” According to the World Bank, achieving this goal is expected to make “progress” toward “poverty eradication, inequality reduction, gender equality and women’s empowerment, safe and orderly migration, universal health coverage and financial inclusion”. The implementation of the e-ID and its potential real-world applications have therefore been tested for several years now, particularly in countries of the southern hemisphere.

Illustration: Aleksandra Roth-Belkova

Illustration: Aleksandra Roth-Belkova

For example, the idea of coupling immunization status and e-ID dates back to 2018. It was introduced by the ID2020 Alliance, which proposed to take advantage of the fact that, in many developing countries, immunization coverage far exceeds birth registration rates. It was estimated, ID2020 wrote, that “more than 95% of the world’s children receive at least one dose of a vaccine” and that “86% of the world’s children receive the recommended three full doses of diphtheria, tetanus and pertussis vaccine, which is commonly used to measure immunization coverage”.

So its proposal was: use vaccination as an “entry point” to implement an e-ID system, linking vaccination status to a biometric identification system. “Immunization represents a tremendous opportunity to provide children with a durable, portable and secure digital identity early in their lives,” ID2020 bosted. Meanwhile, the principle has been put into practice in a project in Bangladesh , where “less than 40 percent of children receive a birth certificate by the age of five”, but where the immunization rate reaches “97 percent for preventable diseases”. ID2020 now manages biometric enrollment and digital identification of infants there when they receive routine vaccinations. In September 2019, Gavi CEO Seth Berkley expressed his desire to see the program expanded to all developing countries, in collaboration with players like Facebook and payment company Mastercard, which is very involved in the e-ID space.

Also in 2018, as ID2020 presented its project, Mastercard opted for the same “entry point”, partnered with the Gavi alliance for this purpose and approached Trust Stamp, uan artificial intelligence-based identity authentication company. The goal of the project: to establish a biometric identity platform in remote, low-income communities in West Africa. The starting point is the Wellness Pass, a digital vaccination card linked to an identity validation system powered by NuData, Mastercard’s artificial intelligence and machine learning technology. The platform devised by these three players was launched in June 2020, with a solution developed by Trust Stamp integrated into Gavi and Mastercard’s Wellness Pass. In both cases, the specter of surveillance and immoderate aspiration of sensitive biometric data was never far away. The Trust Stamp technology in Mastercard’s project, for example, is also one that the company offers to law enforcement and prison systems for surveillance and predictive policing purposes .

Ghost-management at work

In parallel to these on-the-ground-activities, the various stakeholders have set up a vast lobbying apparatus to advance their agenda and facilitate the transition to e-ID on as global a scale as possible. This complex web of supranational signs and initiatives is carried by giants of globalized capitalism, government agencies, banks, credit companies, central banks, entities under contract with government agencies, billionaires’ foundations, consulting firms, as well as a myriad of corporate backers.

 Below: Re-Check took a detailed look at the players around eight initiatives, and their interests. High-resolution graphics with comments and details are available here.
Among the actors involved are foundations, governmental and non-governmental organisations, consulting firms, technology giants (Big Tech), but also university clinics, representatives of the eHealth domain, not to mention a multitude of companies active in the field of digital identity solutions, biometric data and technologies such as blockchain (non-exhaustive list). Many of these players are part of what Privacy International calls the “e-ID industry”.
The arrows between the different players should not be interpreted as evidence that “someone is pulling the strings”.
They only represent links of interest that we have been able to identify. Their number speaks for the magnitude of the efforts and the stakes, in financial terms, but also in terms of control. 

Their figureheads communicate with vague and soothing terms, which present the e-ID as an empowerment solution, , a guarantee of trust, security, simplicity, comfort, frictionless transition and above all “inclusion”: inclusive development, inclusive financial services, inclusive growth, digital inclusion, political inclusion, inclusive technology… The e-ID would also be the key weapon against “identity theft”, the seriousness of which these actors never tire of emphasizing.

The good feelings are not left out: who would be black-hearted enough not to wish, with ID2020, that all newborns could “access a wider range of social services” and the “health interventions that all children need and deserve”?

These vibrant appeals should not obscure the fact that for this vast conglomerate, the e-ID represents above all an extraordinary windfall: in financial terms for commercial actors, and in terms of control and surveillance for government actors. Representatives of surveillance capitalism, biometric technologies and tracking are prominent among them. For example, among the most enthusiastic supporters of the transformation of Covid-19 QR codes into e-IDs are Thales (6) (7) (8) (9), the French biometric and surveillance technology giant. Or the British company iProov, which specializes in online biometric authentication.

Accelerating crisis

The Covid crisis has thus given a powerful boost to an agenda driven by a powerful complex that had been maturing for a good decade. The fruits now seem ready to be harvested and expectations are high. According to market research firm Mordor Intelligence, 72% of online marketplaces have strengthened their identity verification technology “because of Covid-19” and digital identity verification is increasingly a critical component of the banking industry. According to the MarketsandMarkets portal, the digital identity solutions market is expected to be worth $30.5 billion in 2024 and $49.5 billion in 2026. Some startups active in the field of digital identity based on artificial intelligence, biometric data or machine learning, can now expect to raise up to $1 billion in funding.

If the most apparent lobbies of the digital identity industry are above all linked to private companies and foundations, this does not imply that the solutions brought by the States are by definition benign. Even in the case of the European Union (EU).

In its communication, the European Commission emphasized its desire to see EU residents “keep control” of their data, “rather than share it with technology giants like Google and Facebook”. This stated desire to “protect citizens from digital giants” has not stopped the EU from investing billions of euros in surveillance and biometric technologies over the past 15 years. In December 2020, an investigation by The Guardian revealed that between 2007 and 2020, Horizon 2020, the EU research funding program in which Switzerland participates, supported the development of security products for police forces and border control agencies in the public and private sectors to the tune of €2.7 billion. Most of these products involved technologies such as artificial intelligence, drones and augmented reality, facial, voice, vein and iris recognition, and other forms of biometrics that could be used for surveillance.

In January 2021, a survey published on voxeurop highlighted that a growing number of biometric innovations that had recently been deployed in various European countries (e.g., biometric verification for parcel delivery, payments using facial recognition and biometric payment cards) would be suitable for inclusion in a central identity. The article concluded that the decision to use only digital identity and Covid-19 certificates as a means to “get back to normal” opens the door to an unprecedented surveillance system, through which citizens could be disenfranchised.

Finally, it is certain that the private lobbies will use their full weight to influence the future functionalities of the EU e-ID and the legislation that will frame it. While welcoming the European Commission’s initiative, they have already stressed the importance of integrating industry,  finance and private sector know-how in the design of the final device.

In the next episode, we will look at the central banks’ e-ID projects and the consequences they would have for citizens if they were to be put into practice. We will also see that the promises that e-ID proponents regularly put forward are unlikely to be fulfilled, because the technologies they advocate are not just doing what they are supposed to do.