Policy Significance Statement

Projects initiated for developmental outcomes in developing country contexts should place greater emphasis on the human rights impacts of their initiatives. When these projects are national ID projects, concrete technical implementations that make it more difficult to abuse data and that give people agency and choice in the use of IDs need to be instituted. While data protection laws are important in developing countries, they are seldom sufficient to safeguard against data abuses and other human rights deprivations.

2. The Onset of Mistrust

The world is facing a pandemic of mistrust. Mistrust in governments, businesses, media, civil society, and other institutions that serve society has become strained in the past few decades (Zuckerman, Reference Zuckerman2021). One acute manifestation of this problem is the decline in the trust of traditional news sources. Sources of news that had been trusted for decades are succumbing to mistrust as we grapple with a “post-truth” world (Peter, Reference Peter2017) where “fake news” or “alternative facts” hold sway. The rise in global mistrust in news sources has been clearly felt through the COVID-19 vaccine hesitancy around the world despite persistent media messaging vouching for the safety of vaccines.

Governments are perhaps the most high-profile targets of public mistrust. The 2021 Edelman Trust Barometer (Edelman, 2021), an online survey of over 33,000 respondents in 28 countries (representing 17% of the global population), reports that governments were mistrusted in 13 of 27 countries, including Nigeria, South Africa, Argentina, Colombia, Russia, Spain, Japan, Kenya, Brazil, the United States, the United Kingdom, Mexico, and Ireland. Respondents in a further six countries—France, South Korea, Italy, Thailand, Canada, and Germany––reported neither trust nor mistrust in government, while only nine countries—Australia, Malaysia, the Netherlands, Indonesia, Singapore, United Arab Emirates (UAE) and China––had survey respondents reporting trust in government. This is a recurring trend—an analysis of the data on mistrust in the Edelman Trust Barometer for 4 years from 2018 to 2021 (Edelman, 2018, 2019, 2020, 2021) shows a pattern of mistrust in government. In each year of the survey, the majority of countries surveyed reported a mistrust of government over trust—21 of 28 countries in 2018, 16 of 26 in 2019, 17 of 28 in 2020, and 13 of 27 in 2021. Only five countries in 2018, seven in 2020, six in 2019, and nine in 2021 reported trust in government with the remainder of countries in each yearly survey reporting neither trust nor mistrust (neutral).

An important aspect of the concept of mistrust is that mistrust, especially institutional mistrust, is usually the result of institutions underperforming (Zuckerman, Reference Zuckerman2021). This is applicable to the situation in Africa, where government services in some countries are either poor or nonexistent. In Africa, citizens have been known to mistrust government messaging on Ebola outbreak prevention methods in the Democratic Republic of Congo (Vinck et al., Reference Vinck, Pham, Bindu, Bedford and Nilles2019) and polio vaccines in Northern Nigeria (Grossman et al., Reference Grossman, Phillips and Rosenzweig2017) because the government could not be trusted on other things—particularly in the execution of government services. This theme of mistrust stemming from gaps in the social government contract is the theme of this paper and erupted into the tumultuous EndSars protest of October 2020 in Nigeria.

3. The EndSars Protest

The EndSars protest of October 2020 was a watershed moment in the history of Nigeria. For the first time, the nation’s youths were unified in action to protest targeted violence by the security services and perceived poor governance by a ruling class which included few of their generation (Iwuoha and Aniche, Reference Iwuoha and Aniche2021). Nigeria’s population, like elsewhere in Africa, is very young. The percentage of the population of individuals 0–14 years is 43% (World Bank, 2021a,b,c).

With a youth unemployment rate of 42.5% (National Bureau of Statistics, 2021), there has always been a deep-seated resentment among Nigeria’s youth that they had been given the raw end of the deal by a country that had largely ignored them. Today, Nigeria is classified as the country with the largest number of people living in extreme poverty in the world (Slater, Reference Slater2018), yet in this dire context, thousands of youths have labored to forge out a living through engagement in sectors such as technology, where Nigeria’s youth have carved out an international reputation in technology hubs across the country (Ramachandran et al., Reference Ramachandran, Obado-Joel, Masood and Omakwu2019). Through crafts such as coding, website development, and app development many Nigerian youths have defied the poor working environment in the country. Unfortunately, Nigeria also has a cybercrime problem (Aransiola and Asindemade, Reference Aransiola and Asindemade2011; Ibrahim, Reference Ibrahim2016), and in tackling the problem of cybercrime, security agencies have often painted cybercriminals in Nigeria’s cities with the same brush as the teeming population of youth technology entrepreneurs (Okunoye, Reference Okunoye2021). They are in the same generation, carry the same technology devices, and often have the same lifestyle—while cybercriminals might have access to easy money through proceeds of fraud, technology entrepreneurs have incomes that make for comfortable lifestyles. This targeting by security services of the young army which populate Nigeria’s booming technology sector, leading to harassment, arrests, and deaths sparked the EndSars protest and led to a bigger rally against perceived poor governance in Nigeria.

The EndSars protest has changed Nigeria, bringing to the fore a new generation of Nigerian youth who have demonstrated they will not be content with the status quo (BBC, 2020). Having never witnessed such a sustained, determined, and spontaneous protest by youth calling it to account, the Nigerian government responded by commencing negotiations with the youth and announcing the reopening of tertiary institutions—a tactic to diminish the number of protestors. Despite ongoing negotiations, the protesters were not convinced of the sincerity of the government to meet all their demands—which included a genuine and thorough disbanding of the police Special Anti-Robbery Squad (SARS). When protests continued, on the night of October 20, 2020 in Lekki Nigeria, the focal point of the protest, armed soldiers opened fire on unarmed protesters leading to loss of many lives and injuries in an incident that sparked major international outrage with politicians and leaders across the world reacting to the violence used against unarmed protesters (DW, 2020).

4. Updated ID Policy

The relationship that end-users have with the government has a strong influence on their behavior and attitudes toward identity (Wilson, Reference Wilson2019). This was perfectly exemplified by the turn of events in Nigeria leading to the first major resistance to Nigeria’s digital ID project, following the government crackdown of EndSars protesters on October 20, 2020. Immediately following the violent government response, bank accounts of individuals perceived to be leaders of the protest were frozen (Human Rights Watch, 2020), although it was clear this was a truly organic and spontaneous reaction of young people across the country. An EndSars organizer was prevented from traveling, having been placed on no-fly lists monitored at the country’s border exits (Kabir, Reference Kabir2020). Businesses perceived to be supportive of the protests were also targeted, including Flutterwave, a technology start-up founded by young Nigerians which had a few weeks earlier been valued at over US$1 bn (Adebowale, Reference Adebowale2020). Flutterwave represented the kind of endeavor young Nigerians in the technology sector were engaged in and it was active as a payment platform during the EndSars protests. After having been shot at, and had their freedom curtailed for participating in peaceful protests, the aftermath of the EndSars protests led many young Nigerians to feel disillusioned about Nigeria. Many openly expressed their desire to leave the country (Jones, Reference Jones2021).

Three months after the EndSars protests, the Nigerian government through the Nigerian Communications Commission, the Communications Regulator, released an updated National Identity Policy working closely with NIMC (NCC, 2020). Central to this revised policy was the requirement that people who had enrolled for the NIN link their subscriber identifier module (SIM) card with their NIN through an online link or the ‘Unstructured Supplementary Service Data’ (USSD) code *346# dialed on any mobile network in Nigeria (a USSD code is a Global System for Mobile Communications (GSM) protocol that is used for information services). The policy also required data on citizens’ International Mobile Equipment Identifier (IMEI) numbers. For the first time since the start of the national ID project in 2007, there was significant and vocal resistance (Iruoma, Reference Iruoma2021) to the ID project from among young people who read the updated policy and its requirements as means to strengthen the powers of government surveillance and restrict their freedom.

Nigeria’s youth represent the largest segment of the population (World Bank, 2021a,b,c) and significant resistance within this demographic does not bode well for plans to ensure inclusivity and adoption of the country’s ID project. In retrospect, given that the relationship that end-users have with the government has a strong influence on their behavior and attitudes towards identity (Wilson, Reference Wilson2019), and institutional mistrust is strongly linked with institutions such as government underperforming (Zuckerman, Reference Zuckerman2021), it is probable that if Nigeria’s youth unemployment rate were not so high (42.5%) and youths were otherwise profitably employed and engaged within the economy, the resistance demonstrated towards the national ID might have been much less, and the EndSars protests might not have been as severe. The link between the abject condition of the country’s youth and the raging EndSars protests was tacitly acknowledged by the government, which quickly moved to reach an arrangement with the academic staff union of the nation’s Universities who had been on a strike in protest of poor working conditions (Olufemi, Reference Olufemi2020). The Universities were thereby ordered to reopen, and students were urged to return to their campuses, in a bid to drain the fervor of the protests.

Another facet of the institutional mistrust and societal tensions around digital identity projects stems from the perceived legality of the actions of implementers and administrators of the project (Manby, Reference Manby2021). In the UN SDG 16.9 plan to “provide legal identity for all” for instance, the rule of law and legality is implied as core tenets of any identity regime. The 1948 Universal Declaration of Human Rights (UDHR) and the 1966 International Covenant on Civil and Political Rights (ICCPR) are among the international human rights standards establishing the right to an identity, thus giving the provision of identity a footing within established international legal frameworks. Although Nigeria’s national identity project is backed by law and extensive policies, the deep mistrust and hesitation towards the government ID policy such as the NIN-SIM linkage discussed above, which concentrates power in the hands of the government, cannot be divorced from observations such as the government ignoring court orders and, in some instances, seemingly treating the Judiciary with disdain (Kabir, Reference Kabir2019; Olaniyan, Reference Olaniyan2019).

This paper also endeavors to make a distinction between “trust” and “trustworthiness” in digital identity systems, buttressing the work of researchers, some of whom have rightly expressed that a digital identity system might be trusted even when it is not trustworthy (Maple, Reference Maple2021). In the context of digital identity systems, “trust” can be defined as a belief in the integrity of the system, while “trustworthiness” refers to the extent to which it is deserving of trust (Maple et al., Reference Maple, Epiphaniou and Gurukumar2021). That is, although governments might strive to win the trust of the public in national identity systems through consistent messaging by the specific ministry in charge of implementing the ID, when internationally acknowledged technical pillars underpinning the trustworthiness of the ID system are lacking or poorly implemented, it is clear they do not deserve the trust they seek to gain. Prominent research and multilateral organizations have worked to establish the pillars of what might constitute a trustworthy digital identity system.

For instance, a group of 28 international organizations including the World Bank, the United Nations Development Programme (UNDP), and the International Telecommunications Union (ITU), have endorsed “Principles on Identification” (Desai and Clark, Reference Desai and Clark2021; World Bank, 2021a,b,c). These 10 principles consist of three pillars, inclusion, design, and governance which make up the 10 principles defined below (Table 1).

Table 1. Principles of identification

Similarly, the Alan Turing Institute (Maple et al., Reference Maple, Epiphaniou and Gurukumar2021) has identified what constitutes the pillars of Trustworthy digital identity, defining six facets of trustworthy digital identity systems as:

1. 1. Security: “The protection of data, information and systems against unauthorised access or modification whether in storage, processing, or transit and against denial of service to authorised entities.”

2. 2. Privacy: “Ensure that personal and sensitive information transmitted, processed, and shared is treated privately, in adherence to legal and regulatory restrictions governing its use”.

3. 3. Robustness: “The ability of the system to continue functioning in the presence of internal and external challenges without fundamental or drastic changes to its original operations or state”.

4. 4. Ethics: “Ensure transparent, responsible, and auditable operations throughout the whole lifecycle of data and information management in systems whilst enabling user empowerment into this process”.

5. 5. Reliability: “The ability of the system to perform in a consistent and expected way during a period of time in which it adheres to its performance specifications adequately”.

6. 6. Resiliency: “The ability of the system to adjust to internal and external conditions by adapting its operations to ensure the continuation of expected service under these new conditions.”

The six facets of trustworthy digital identity further consist of 16 facet attributes and 49 features and mechanisms (Maple et al., Reference Maple, Epiphaniou and Gurukumar2021).

Nevertheless, as Manby (Reference Manby2021) notes, the organizations that shape digital identity research and policy sometimes have only limited enforcing power to ensure that these Trustworthy ID principles are indeed implemented in specific country contexts. For example, the World Bank, a major funder of Nigeria’s national ID, has made several recommendations (some listed in the section below) on how to improve the trustworthiness of the system.

It is true that a national digital identity system might be trusted by its users because of effective government messaging to that effect, even though it is not trustworthy as defined by the parameters above. However, the converse might also be true. A trustworthy digital identity system, which has made significant progress towards implementing the pillars of trustworthiness, might still be untrusted by many users in a country because of the fraught relationship people have with the government, reinforcing the observation that the relationship that end-users of identity have with government shapes the uptake of digital identity (Wilson, Reference Wilson2019).

In Nigeria this effect is measurable. Data from the National Bureau of Statistics (NBS) shows a decline of over 12 million active Internet subscribers in Nigeria from Q4 2020 to Q4 2021 (National Bureau of Statistics, 2022). Many were people who were removed from the network because they refused to comply with the government NIN-SIM directive. A perspective from the government is that these individuals are “criminals” who refuse to be registered by the government because they do not want to be “regularized” (Okon, Reference Okon2022). However, it is unlikely that such a significant decrease of 12 million (7.99%) Internet connections can be attributed solely to individuals trying to evade the law. Government policy has been the source of some public discomfort (Iruoma, Reference Iruoma2021) and government mistrust is a possible explanation as to why there was a reduction in Internet subscribers.

This difficult citizen-government relationship which creates scenarios such as the EndSars protest and its aftermath, is common with fledgling democracies where the rule of law and accountability need to be strengthened. Admittedly, this might be a long-term project. In such low trust environments, however, it becomes imperative that at least the basics—the pillars of trustworthiness—are fully and not partially covered, in order to restore trust.

5. Restoring Trust

At the core of the mistrust around Nigeria’s digital IDs is the question of whether IDs will be a vehicle of good governance reflected in the respect of fundamental human rights and diverse viewpoints, or rather an instrument of oppression, surveillance, and clampdown on human rights. This reflects the global debate and tension on the use of data and technology in the aid of international development (Weitzberg et al., Reference Weitzberg, Cheesman, Martin and Schoemaker2021). That is, do data technology projects such as national ID projects serve the interests of “data justice”—respecting human rights and improving the human condition, or instead “data injustice”—empowering exploitation and human rights violations (Dalton et al., Reference Dalton, Taylor and Thatcher2016; lliadis and Federica, Reference lliadis and Federica2016; Taylor, Reference Taylor2017)? The goal of the national identity project as stated by NIMC is to serve as a vehicle of national development through enabling the delivery of social services, stamping out public waste, and tackling insecurity. Nevertheless, the events narrated above heightened the perception that there was a link between the updated National ID policy and an intent for government surveillance and clampdown on civil freedoms. Those perceptions stemmed from the current practice of Nigeria’s democracy—which has made a lot of progress, yet still has some way to go to reflect the best ideals of democratic practice. While solving democratic ills might be a long-term project, there are specific short-term design choices that might be implemented to restore trust in digital identity projects in emerging democratic contexts such as Nigeria.

5.2. Federated databases: Decentralized systems providing choices

An important characteristic of trusted ID systems is the federation of identity providers that provide choices to users (Whitley, Reference Whitley2018; Mozilla, 2020; World Bank, 2021). An example of a federation in national ID systems is found in the United Kingdom (UK), which has no single foundational ID system except for a civil registry. Under the UK system, people employ a combination of several identity credentials such as driving licenses, passports, and birth certificates to prove their identities for public and private transactions using the GOV.UK Verify platform for authentication.

The UK represents one of many nations including the United States, France, Australia, and Canada where centralized ID databases that mandate the use of a national ID card were resisted (Mozilla, 2020). These nations are among the most advanced democracies in the world with high human rights standards including data protection frameworks. Yet, despite these data protection safeguards, there seems to be little enthusiasm for technical implementations that rely on the centralization of citizen data (AccessNow, 2018).

According to the World Bank, a rationale for centralized ID databases like that of Nigeria’s national system is that the country’s previous identity landscape was fragmented, disconnected, and duplicative with at least 13 different Federal governments and about three state government agencies running identity programs (World Bank, 2020), some with biometric data. Some of these Federal government agencies include the Nigerian Immigration Service which issues passports, National Population Commission which manages the civil registry, the Independent National Electoral Commission (INEC) which manages the voter’s registry, and the Federal Road Safety Commission (FRSC) which issues driver’s licenses. According to a 2015 World Bank estimate, Nigeria might have spent a wasteful US$4.3 billion to implement this fragmented ID system (World Bank, 2020).

The fragmented nature of Nigeria’s identity system was the rationale for mandating the compulsory use of the national ID card as the sole identity provider (NIMC, 2007, 2019). However, perhaps the best response to a fragmented identification landscape where at least 16 IDs held sway in the country is probably not a unified identity landscape where only one ID is used. The former is a failure of coordination and planning within different segments of government who were not under coercion to use this fragmented system, while the latter is perhaps a hurried reaction to the former. This replaces one problem—disorderliness and waste, with a different type of problem—centralized control and an absence of choice and agency for people in the use of IDs. National ID practices like those described above in the United Kingdom where the country functions without a centralized ID system, and a diverse but limited set of IDs cater to a population might be examples to draw from. For Nigeria, what if between birth registration, passport, driver’s license, bank verification number (BVN)/pension number, national health insurance number, SIM registration, and voter’s registration we create an identity ecosystem similar to the UK’s GOV.UK where people have choices and agency in the appropriation of IDs? Many of the existing ID systems in Nigeria already collect rich and detailed information, including unique biometric identifiers, and boast enrolment figures exceeding or similar to, the figures for the national ID. Finding the right balance of number of approved IDs in the national ecosystem (of which the national ID is a part) is key. The national ID can serve as part of a whole ecosystem of identity, rather than the sole identity.

The enrolment data from the current national ID program suggest the correctness of this ID strategy. To enroll for Nigeria’s national ID, an individual must ordinarily provide any of 19 feeder identification documents (NIMC, 2021), five of which are described in Table 2. Data from enrolment suggest that the majority of those enrolled so far are individuals who already had one of these feeder IDs and NIMC efforts are now directed at a second phase of enrolment specifically targeted at those without these feeder documents, by allowing them to present alternative means of proving their identities (ID4Africa, 2021a,b; Mojeed, Reference Mojeed2021).

Table 2. Enrolment figures or coverage of selected IDs in Nigeria

^a https://www.unicef.org/nigeria/press-releases/only-43-cent-nigerian-childrens-births-registered-unicef;

^b https://www.electionguide.org/countries/id/158/;

^c https://www.nigerianstat.gov.ng/pdfuploads/Road_Transport_Data_-_Q2_2018.pdf;

^d Many drivers lack licenses, and other license holders have multiple cars;

^e https://www.ncc.gov.ng/statistics-reports/industry-overview#gsm;

^f https://nibss-plc.com.ng/services/bvn;

^g https://nimc.gov.ng/nimc-reaches-more-than-sixty-million-60-unique-nin-records/.

Federated and decentralized ID systems present practical security and privacy advantages. One, they do not present a single point of failure in the event of a cyber breach. An attacker who gains access to a database is limited to only the data contained therein and cannot access other records. The importance of this feature was demonstrated in 2021 when hackers gained access to the Argentinian national ID registry (ID4Africa, 2021a,b). They also demonstrate some robustness and resiliency—a technical downtime in one system does not ground the entire identity ecosystem. The usefulness of this feature was demonstrated in February 2022 when a technical glitch occurred in the government IT services provider which hosts the servers of NIMC (Okunoye, Reference Okunoye2022). This left many individuals and organizations needing to access NIN verification services stranded for over 10 days, with no effective alternatives.