On the morning of Christmas 2020, a mother from Hsinchu City, northwestern Taiwan, spoke bravely into a microphone, calling out to the central government: “Policies that are relevant to people’s lives should be implemented in a safe and secure manner.”
With her was Hsinchu City Councilor Liao Tzu-chi, and representatives from civil society organizations such as the Taiwan Association for Human Rights. Despite the gentle holiday chill outside, the press conference was ablaze with indignation, the air electric with the people’s refusal to be the state’s lab rats.
The pushback was against plans by the Taiwanese government to establish an electronic identification (eID) system, which would function like a citizen digital certificate. Using their eIDs, people could access their personal information online, retrieving their health or labor insurance, among others. The eID would even allow them to pay their taxes over the internet.
But the most crucial part about proposed the eID is that it is under strong opposition by civil society and scholars.
The sparks from that Christmas morning press conference set off a chain of small explosions, ultimately toppling over the plans to roll the eID out. On that same day, the local city government of Hsinchu announced that it was inclined to suspend the trial run of eID among its residents.
Other localities – like the Banqiao and Zhonghe districts in New Taipei City, and Penghu County, all initially selected for the pilot eID program – followed suit. Not long after, legislators aligned with the Democratic Progressive Party (DPP) met with Su Chen-Chang, President of the Executive Yuan, the executive branch of Taiwan’s government.
On January 21 this year, the Executive Yuan released a resolution, yielding its position: “We will implement it after we have improved the legal infrastructure,” they said. The eID has been on an indefinite hold since.
Smart Government
The fight against coordinated efforts of the government to impinge on citizen privacy stretches as far back as 1998, when the Taiwan Association for Human Rights worked to block the national card policy, the government’s attempt to use the ID replacement policy to collect a large amount of people’s personal information and conduct digital surveillance. The eID is merely the latest frontier in this battle.
First touted by the central government as “the foundation for the realization of smart government,” the eID system is supposed to make administrative transactions easier, while also protecting the users’ data. The system is said to be protected by chip encryption, and data would be stored in databases under the care of various government agencies.
But it’s clear that the promise of convenience was built on a flimsy reassurance of security – and is far outweighed by the risks the eIDs could bring.
In the first place, Taiwan’s push for a smart government doesn’t even need the eID system. For example, the Digital Service Personalization Platform, better known MyData, was officially launched on April 16. Its remote identity verification method currently does not have the eID verification option.
More urgently, however, are the security concerns. Of these, a November 2020 paper published by the Institutum Iurisprudentiae and Information Law Center of Academia Sinica, points out three particularly worrying fronts: insufficient legal basis, weak digital security risk assessment, the China factor.
Convenience vs privacy
Taiwan’s Ministry of Interior (MOI) has always believed that the ID transition from paper to digital was a trivial matter. Minimizing the jump as merely a change in format, the MOI has argued that the legal framework for eIDs is sound, citing Article 52 of the Civil Registration Law, as well as relevant regulations under the Personal Data Protection Act, Electronic Signature Act, and Cyber Security Management Act.
According to this line of reasoning, to create a special law governing eIDs would be redundant, pointless.
But elsewhere in the world, what the MOI brands as redundancy has instead been seen as a legitimate legal measure to protect the people. “In Germany, even the photocopying of identification is explicitly prohibited by law,” says Wen-Chung Chiu, researcher at Academia Sinica. “In Japan, digital IDs are restricted to three uses: social security, taxation, and disaster prevention to avoid abuse.”
Chiu pushes further. If the transition from paper to digital was only a matter of format, he asks, is it the same, then, if the eID pushed for a chip under the skin?
In their January 2021 statement, the Executive Yuan seems to have finally realized this, agreeing to delay eID implementation pending an improvement in the legal infrastructure. It has been their biggest concession on the matter to date.
No such concession has been given, though, as regards the people’s digital security and privacy. An investigation report of the Supervisory Yuan clearly points out that the MOI has not only failed to communicate with the public regarding proper policy risk assessment, but has also repeatedly provided only verbal guarantees for the protection of personal information privacy.
The Executive Yuan has also done none of the basic work to establish the infrastructure for information protection, such as passing amendments to the Personal Information Act or establishing an independent agency to oversee digital security. Combined with major information security breaches in government departments – hackings, leaks, virus attacks, among others – the people’s faith in a secure eID system has shrunk to an embarrassing low.
According to digital security expert Professor Lee Chung-Hsien of National Cheng Kung University, “ensuring digital security is an important prerequisite for enjoying information services.”
“Whether to change to eID is a tug of war between ‘convenience’ and ‘privacy,’” he continues. “When we try to weigh these two values, we must bear in mind that ‘convenience’ will not bring more rights to the people, but ‘privacy’ will directly affect people’s security and autonomy.”
The China factor
Behind all the controversies over security and concessions regarding legality lies what is likely the principal reason behind the government’s move to delay the eID: mainland China.
It is an indisputable fact that China’s infiltration of Taiwan has grown all-encompassing in recent years, and many commentators are worried that the eID policy could become a vehicle for the Chinese government to monitor the people of Taiwan in a comprehensive manner.
China, for example, has already been using the Face Recognition System in various aspects of life, such as their so-called social credit system. In line with this, the MOI has been unable to explain why the proposed eID system has to force people to provide 300 dpi photo files, the resolution Face Recognition Systems require.
Moreover, a Supervisory Yuan investigation report pointed out that half of the contractors involved in the eID system – including GuoJu, Idemia, and ChungHwa Telecom – are shrouded in the suspicion of China’s influence. For example, the MOI is also unable to say whether Idemia will have the cards manufactured by its subsidiary in Shenzhen, China, creating the risk of backdoor programs being directly implanted into the chips.
Through several publicly available documents, Wu Jiemin, researcher at the Institute of Sociology, Academia Sinica, has also discovered that two companies that ChungHwa Telecom has invested in are typical cross-strait enterprises. Together, these reinforce the need for a deeper investigation into service providers involved in the eID system, in order to protect Taiwan’s sovereignty.
Taken by such damning suspicions, a number of DPP legislators held a press conference calling the digital ID system “a breach of China’s infiltration, so it should be suspended until a special legal chapter and a dedicated protection agency are established.”
Such a strong stance from lawmakers, coupled with mounting pressure from civil society and the public at large, catalyzed the Executive Yuan’s decision to hit pause on the eID.
While undeniably a huge victory, it’s still important to keep in mind that the decision was only to delay the eID, not to scrap it outright. And until the government is able to lay down adequate legal framework, establish mechanisms to protect personal information, and clear China’s influence from contractors – all crucial components of the people’s digital security – the threat of digital authoritarianism will continue to loom large on Taiwan’s horizon. ●
Shih Yi-Hsiang is the Secretary General of the Taiwan Association for Human Rights (TAHR), and independent, non-governmental organization founded on December 10, 1984, International Human Rights Day. TAHR is a member-based organization and is run full-time by activists and volunteers.