Brazil’s National ID System — disorganised and dysfunctional
This piece is part of the Identity and Internet Series, written by Yasodara Cordova of Harvard Kennedy School and Coding Rights, a member of the Privacy International Network. It does not necessarily reflect the views or position of Privacy International.
The document at the top of Brazil’s ID system, known as an “RG” or “identity card”, does not follow any technical standards, though possession of the card is a fundamental prerequisite to the exercise of various rights.
In Brazil, ID cards are mandatory and form part of a complex array of identification schemes that overlap several times and include more than 10 different types of numbers. In this series, the main ID cards will be analysed from the perspective of their relationship to the Internet and e-government services. The ID cards considered are:
** the CPF — the number that connects Brazilian citizens with financial services; and ** the birth certificate and other civil registries.
Ensuring someone’s identity while protecting against fraud is a persistent problem for many public servants. With the Internet, governments are being challenged to provide better, digitally delivered services to citizens. Expressions such as ‘e-government’ and ‘digital government’ are associated with the emerging view that the Internet is a platform for open, agile, and transparent service delivery. Questions on the “official” digital identification of citizens started to emerge because the ability to verify their identity is key to accessing government services.
In Brazil, the identification of a citizen is considered a mandatory for the provision of social benefits and rights. It is therefore necessary to re-think the connection between citizen identification and regulatory practices, in order to identify data protection concerns in the Internet era, especially in countries where third party companies are the intermediaries of digital services provided by the government.
The General Civil Registry
The Brazilian ID registry, physically verifiable by an identity card, is often managed by the Secretariat of Public Security, which means that it connects with the crime prevention network. As the ID card issuance network is not digitally integrated, each state has its own institution and rules for issuing ID cards. There are 27 separate ID-issuing entities in the country, making it possible for each Brazilian to have more than one RG number.
Duplicate records are a reality. Likewise, there is no single rule for generating an ID number. This creates an ID registry that is not reliable, although it is the official one. As there is no technical requirement for the integration of general registry databases, the number can even be the same for two different citizens. The E-ping, a Ministry of Planning document that compiles standards from international sources and translates them into Portuguese, does not necessarily need to be respected in this case.
Centralised data centre, managed by a “central authority”
In May 2017, Brazilian President Michel Temer signed a law creating the Unified Registry of Identification, or RCN (registro civil nacional). This database will aggregate data from the Electoral Court and other entities. The purpose is to completely collect citizens’ credentials and provide a card for authentication and access to various services.
This excerpt from Bill n.1775/2015 summarises the security issues around the new document:
“(…) the security of the document will be ensured by using modern processes to keep the data in a chip on the card.”
However, the “modern processes” are not specified.
Keeping everything about a citizen in the same database seems relatively secure and sustainable, but it can also be a shortcut. This concentration of information could be used to serve authoritarian purposes. Also, there are technical problems that do not appear to have been considered, such as its long-term sustainability. The effectiveness of government committees in guaranteeing human rights also needs further analysis and discussion.
It is a mistake to think that the digitisation of a database of registries of this magnitude will necessarily increase the efficiency of the system. A centralised database may usher in the era of inefficient digital bureaucracy in Brazil: more time waiting in front of computers and terminals, as well as long periods of blackouts due to the volume of data to be processed (a recurring problem in the “Bolsa Familia” social welfare system). Alternatively, digitisation can just be an excuse to spend money on large contracts, bringing together a group of interests around a valuable database — since the project provides for a centralised “steering committee.”
Threats to privacy, freedom of expression and freedom of thought
The Brazilian state does not have a law that protects personal data. “Digital Identity”, in itself, has no definition in national legislation. The increasing surveillance capabilities of Brazil’s authorities is evident in initiatives around the World Cup and the Olympic Games, as Coding Rights research has shown. Also, the information centres created to perform pervasive surveillance by aggregating personal data represent a risk to the autonomy of the citizen, as Brazil moves towards a punitive vision of crime prevention.
A centralised database of IDs, if implemented, will increase the amount of information available for these centres.
If there is any lesson to draw here, it is that the centralisation of identity databases may cause more harm than good, due to the potential of increased surveillance it facilitates.
Centralising personal data away from its owner, the citizen, is not a great solution for the lack of standards in processes that deal with authorisation and access. Fraud, in this case, is a consequence of the abundance of data, and not the inverse, since multiple agents potentially have access to data that they did not have before. The ideal would be to have a national debate, with technicians from different fields, aiming towards an innovative solution to this issue. This solution must combine respect for freedom of expression and privacy with the need for efficiency in public services, despite the ‘common sense’ arguments driving technological development in the Brazilian public sector today.