National Electronic Identity Card: Time to Rest The Controversy
Finally, the National Identity Management Commission, NIMC, launched the National Electronic Identity card, e-ID. This is in line with the Commission’s determination to meet the December 31st,2014 deadline given to it by the President of Nigeria to enrol all eligible Nigerians in the database. The pilot phase of the e-ID will involve issuing cards to about 13 million Nigerian citizens.
The purpose of the National Identity Management System is to capture and manage biometric data of eligible citizens and also bring together,under one secure platform, federated biometric data from all the agencies that currently capture and guard them jealously. At the moment, agencies and institutions like the FRSC, INEC, Immigration Service, Police, banks etc keep silos of citizen biometric data. There is a lot wrong with this and it is not global best practice. All these agencies will have to surrender data they keep for harmonization with the National Database.
Imagine if, for example, you require an International Passport. All that is now needed (when the National Database goes into full use) is for the Immigration Service to log into the National Identity Management system, after levels of access check, key in your national identity number, NIN, and the part of your authentic, verified biometric data necessary to issue you a passport, gets transmitted to them. You do not need to submit any new documents to identify you; you do not have to waste time for taking your picture, capturing your fingerprints, etc. You can actually get your passport issued in a matter of minutes.
Controversy, rather than elation, greeted the lunching of the card especially because of the MasterCard logo behind the e-ID. Some were of the opinion that MasterCard was a private, foreign company and should not have been allowed to brand the card. Other opinions said MasterCard had been handed the contract to make the cards. Some others said MasterCard had been given access to Nigeria’s citizen database without an enabling Data Protection law in place. They felt it was a potential breach of national security. Let me say these:
- MasterCard did not produce the e-ID
- MasterCard does not have access to the National Identity Management system
- All cards used for payment, as is the practice, carry the logo of the payment technology entity.
- MasterCard is only involved in the payment applet which is only one of the 13 applets embedded on the card chip.
According to Mastercard’s business head for West Africa, Omoke Ojumuyide, who spoke with ZNET.com, “Mastercard does not handle the biometric data,” she said. “We are strictly confined to the payment technology on the chip.”
Most of these misgivings are borne out of an ignorance of what the e-ID is really about.
I was in a meeting, sometime in late 2012 or early 2013, when the DG of NIMC made a presentation to a cross-section of stakeholders on what the e-ID, also known as the General Multi-Purpose card, GMPC, was all about. In attendance were members of the intelligence and security community, the armed forces, CBN, amongst others.
Mr. Chris Onyemenam, the NIMC DG, took us through what the 13 applets that will be embedded in the chip on the card are about and what security measures have been put in place to safeguard the high value asset – a Citizen’s biometric data, residing in the National Database.
In the heat of the controversy, NIMC reached out via their twitter handle and succinctly, in a document, explained everything about the card. Before I reproduce the content of that document here, I will like to address the issue of Data Protection law.
I agree very much with the opinion that we do not have a Data Protection Act in Nigeria. The National Assembly needs to work on that. The people who conceived NIMC and the National Identity card project, a project that pre-dates the present government, were very aware of this gap. So when the NIMC Act of 2007 was being formulated, laws that guard the use and protection of the biometric data with NIMC were embedded in it. It will be nice to go through the NIMC Act to stay abreast of this. A look at Part IV, Section 28, under Offenses and Penalties, is a quick start.
Let me now reproduce NIMC’s release below.
Facts about the National eID Card
Now that the National eID Card has been formally launched, a lot of questions are being asked, which needs to be cleared up.
If anyone has any doubt as to the authenticity and accuracy of what is contained below, they should kindly back up their claims with real facts and proof so as not to mislead the General Public.
Firstly, the new National eID Card issued by the National Identity Management Commission (NIMC) is primarily a National Identity Card with a SmartCard built-in, containing provision for up to 13 applets, of which 5 are activated when an applicant picks up his/her Card.
Fact: Access to National Database by MasterCard or other foreign companies/Governments
The National Identity Database is not open to inspection by ANY party, home or abroad. There is absolutely no provision for any foreign Government or body to access the database.
MasterCard is providing functionality for 1 of the 5 applets, just as you have with your ATM Cards. No one complains that your name is on the ATM card, or that that information may be held in America. The concern here is biometric data and other demographic information such as next of Kin and so on. MasterCard DOES NOT HAVE and WILL NEVER have access to such information.
Any suggestion that MasterCard, Visa, or any other foreign body will gain access to the database is pure fiction not backed up with evidence.
This is NOT the same as verification services, which is where an Embassy may request to verify a person’s National Identification Number (NIN) to ascertain that the person requesting a visa is the genuine article. It is done all over the world, and the provision for NIN on the Visa application forms for many countries such as UK, US and even Schenghen states, was not introduced because of Nigeria’s NIN.
The applets active when you pick up your card include:
This is where a secure terminal matches a specific fingerprint against that locked away on The Card. Too many attempts, and the applet is blocked for security reasons.
That way, an agency or concerned body can be sure that the person presenting the Card is the true owner. It is no different than what is currently done with your International Passport.
The National Identity Card is also a travel document and conforms to the same standards (ICAO 9303 Rev 2) as International Passports and National Identity Cards of other nations which have TD1 functionality built in. It is hoped that the document will be used for ECOWAS travel (without the need for a Passport), as the applet CANNOT be forged. NIMC has its own Document Signer (DS), on behalf of the Federal Republic of Nigeria. So we are not sending certificates requests (CSRs) outside Nigeria to be signed for this applet.
In the first phase, MasterCard is offering payment functionality for the Card. There is a firewall between this applet and all the other applets so not even a POS terminal can access the secure data protected by EAC2 on certain parts of the Card. As stated earlier, the National Database is NOT the business of MasterCard and never will be. Later on, we will have Visa and Verve Cards as alternatives to MasterCard. MasterCard will only be available on the first 13 million Cards.
This is the MAIN applet. The electronic ID applet, which contains some of the information submitted during enrolment. Other information such as address are also available on the Card but protected by higher levels of access control called EAC2. The NIN is also locked away in EAC2 protection.
Most information is NOT available on the Card, such as next of Kin, parentage and so on. These are only available in the National Identity Database (NIDB).
This applet contains strong certificates which allow for document signing, non-repudiation, encryption and so on.
NIMC has conformed to International Best Practices to provide this applet. The Non-repudiation simply means that where a person has digitally signed a document with his/her Card using the e-PKI applet, the person CANNOT turn around tomorrow and say “I didn’t sign this document, it’s a forgery”. For this to occur, aside from the applet, other security measures have been put in place to ensure that indeed, a person won’t be able to deny his/her document signature.
Fact: Verification Services
Any embassy wishing to participate in verification services in the near future will need to go through a very stringent and rigorous approval process. NIMC will then offer a 1-to-many service, meaning that a NIN is supplied via a secure channel to NIMC’s verification platform and then a lookup is done against the National Database.
Fact: Public Key Infrastructure
NIMC is the custodian of the National Identity Database and we would be contravening so many national security laws if we ever share this information with unauthorised persons or entities.
The Department of State Security (DSS) has scrutinised NIMC and can attest that The Commission has put all kinds of processes and security measures in place to avoid such breaches of National Security.
NIMC has even gone as far as implementing its own PKI Infrastructure, which means that Digital Certificates and Keys issued for each individual are not sent out for signing, but are signed internally as Nigeria now has its own Registration Authority (RA) and Country Signing Certificate of Authority (CSCA) as well as a host of other PKI systems thereby negating the need to depend on a foreign Government to sign our certificates. Nigeria has its own OID (for those who know what that means) and we had to apply through the Standards Organisation of Nigeria (SON) and the ITU. Which means that Nigeria’s RA is recognised by ICAO worldwide, making our Card a globally-acceptable Identity Card which conforms to International Standards.
Fact: Shutdown of Infrastructure by MasterCard or U.S Government
In the unlikely event that Nigeria has problems with the US Government similar to the issue with Russia, the only part of the entire Card that can be shut down is the payment applet. This applet is only 1 of 13 on the Card. It has ABSOLUTELY NOTHING to do with the ePKI, eID, MoC, Tax, Voter, Travel, Health or other applets.
It is NOT a glorified payment Card, but a National Identity Card offering a myriad of functions of which, one is payment.
Head, Card Management Services
National Identity Management Commission
The e-ID is actually a step in the right direction. It is what serious countries do. With the size of our population and the many security challenges we have, there is no better time than now to get serious.
If you have not enrolled for your National identity Number, NIN, yet, here is a good places to start. NIMC will let you know when your card will be ready. Take note, enrollment and issuance of the card is absolutely free.