It was very interesting to read about the new national identity card and its subsequent fallout. I am very glad that Nigerians have taken an interest in the subject and are protesting vehemently over the plan to integrate the ID card with MasterCard, an American financial firm with a somewhat colourful litigation history. Which makes it all the more amazing that the Director-General of the National Identity Management Commission (NIMC), Mr Chris Onyemenam, would proudly proclaim that it was MasterCard’s “credibility and reputation” which attracted the NIMC to partner with them on the project.

The all new Nigerian ID card, proudly brought to you by MasterCard.

You know, for all the talk about banning importation of various goods in order to encourage local businesses to flourish, partnering with MasterCard, a company which has been taken to court on antitrust charges more than most others, is a bizarre twist, to say the least. The idea is that the first 13 million cards will be in concert with MasterCard, and subsequent cards will have the “option” of Visa or Verve. As explained very clearly in this article, the choice of MasterCard may actually hinder the growth of Nigerian financial institutions who are in the very same business as the American giant. It also notes that “only about 7.7 percent of Nigerians use cards abroad on foreign websites”, meaning it therefore cannot be argued that the Nigerian firms cannot adequately serve the populace globally, or any other such claim.

Moving on to the details of the card itself and I can appreciate that it seems like a nifty idea to link the cards with a financial aspect since majority of Nigerians don’t have bank accounts, primarily due to the inability to prove their identity. However, it is something that should have been rejected quickly enough because it is neither practical nor advisable.

First of all, the ID card itself is proof of identity, and should therefore be good enough to aid people in opening bank accounts, hence eliminating the need to tie it in with a financial institution. Secondly, imagine a situation where Babatunde’s only identification is this card. If he is ever robbed and forced to divulge his PIN code then he has not only lost his financial access but also his identification and would therfore end up right back where he started. Simply put, better security means you do not put all your eggs in one basket; you diversify your portfolio, etc. Another thing to consider is that most of the card hackers out there are concerned with financial gain, therefore they tend to focus more on hacking into those containing financial information than, say, the biometric data on your passport. Therefore, combining such a tasty target as access to your finances with your national identity (which may be your ONLY identity, as in Babatunde’s case) is so obviously a bad idea that it should have been laughed off the table. Because once a hacker is able to access your card and take all your money away, he is now left with your entire identity. If he is of a mind, and has a bit of time on his hands, he may look around for who would be willing to pay for the data. Thus the biometrics of millions of Nigerians go on the dark net for sale, unbeknownst to us. Because, you see, the Nigerian government is incredibly opaque and sometimes downright deceitful in providing information to us citizens. Therefore, in a situation where a number of cards are hacked and our information put up for sale on the black market, I think we can agree that the government would keep mum on the issue rather than embarrass itself by informing us so that we can take steps to protect ourselves.

Which brings us to an aspect which has definitely put Nigerians on edge; the security issue. The card requires that you submit not only your personal information, but also your biometric data; 10 fingerprints and an iris scan. First of all, before submitting such detailed personal info to any body, be they governmental or otherwise, one should always consider the implications very carefully because, once divulged, such data is nearly impossible to take back. They will keep your data, and potentially use it against you or use you as the product which they sell to others. I am not implying that the government will do any such thing, it is just a piece of advice for whenever such data is asked of you. 

And how is this not akin to providing the United States of America, a country which is going through a bit of a dilemma over its electronic spying, direct access to the data of all Nigerian citizens? The federal government does not seem to think so, apparently banking on the fact that the US is an ally and therefore the thought is far-fetched and easily countered. But I think it is ridiculous to expect your allies not to spy on you. Everybody spies on everybody, ally or not, as clearly demonstrated when it was revealed that America had been tapping the personal phone of the German Chancellor Angela Merkel. All the US would need to do in this case is convince one of their judges to issue a subpoena to MasterCard (an American company), along with a gag order to keep the whole thing silent, and the company would be forced to pass along all the information they have on any Nigerian citizens in their database. Such things have already been done, even in the case of MIcrosoft where the data as actually being stored on servers not even located in the United States. So clearly, even if MasterCard was required to operate in Nigeria, within Nigerian law, and what not, the simple fact of it being an American company means it is still subject to American laws and must therefore abide by those. As well, if the US decides to sanction Nigeria for, oh I don’t know, gay rights maybe, then this idea of providing financial services to the Nigerians without bank accounts becomes a way of freezing the accounts of tens of millions of innocent citizens.

Consider also that the mass surveillance of America’s National Intelligence Agency (NSA) has been concentrated on finding ways to access the personal data of users of American companies mostly. This may simply be because most of the largest Internet databases are controlled by American companies, but either way it establishes that if you provide an American (or British, for that matter) company with access to a wealth of data, you are essentially dangling it up in the air for the NSA or GCHQ to grab at.

In response the NIMC, since the outcry, has intimated that the data on the card is contained in 13 applets, of which 5 will be initially activated and MasterCard has access to only one. The argument then, is that the foreign company only manages the payments, while the personal data of us citizens remains completely hidden from them. Sounds noble enough in theory, but in practice it is likely to fail miserably. Because if you can hack (or be granted permission to) one part of a system, even if it is just 1 in 13, it then gives you access to the rest of it. Here is what I mean. Every system is a collection of different parts, all of which must work together in order for the whole to function. Thus in order for the financial applet of the card to be in concert with the rest of it, there are guidelines on how it must function and integrate into the system as a whole, otherwise it would compromise the entire system and cause unnecessary crashes. So now, any hacker who can gain access to the financial applet can study it and understand its methods and how it connects to and works with the rest of the system. The hacker would then explore the financial applet for potential vulnerabilities in the way that it works with other parts of the system; and despite the NIMC’s assurances, I think we can all accept that there is no such thing as a perfect system. Once that is known, it then becomes easier to identify similar patterns in the other applets, at a binary level if necessary, which will then enable the hacker to better decide which area to probe for weakness and gain access to the targeted applet. At which point, “all your base are belong to us”, as they say. Also keep in mind that it is not unprecedented for a company like MasterCard to see its database hacked through a 3rd party firm working with it. Indeed, even cyber security firms get hacked.

These ID cards, apart from containing all your data and a magnetic strip to boot, are also implanted with Radio Frequency Identification (RFID) chips. These chips allow for wireless communication between the card and external devices and they are typically used for contactless transactions, for instance at tollgates. This presents another security issue. An earlier generation of RFID cards had been proven insecure by researchers who accessed their data wirelessly, without ever coming into contact with the card, by devices built using readily available electronics at a cost of about $150. The researchers suggested that such a device would enable its user to simply walk past a group of people and the device will lift the information from all their cards without their ever knowing. Since then RFID technology has been improved and known vulnerabilities taken care of. However, the problem with wireless communication is that it always has the potential to be breached, precisely because it does not require physical contact with the payment system trying to access it. Therefore the RFID chip must always be available, listening for communication from another device, and then responding if it believes that device to be authentic. There is an interesting article on the potential failings of RFID chips in credit cards that you can read here. Essentially, researchers have proved that they can access the RFID chips of credit cards that are still in your wallet, even if just to read the credit card number. And this is just the start of it. As it mentions, the real challenges with securing RFID chips will come when they are adopted on a scale large enough to attract the attention of top hackers, at which point the battle will become interesting, to say the least. And if that were to happen, or a new vulnerability discovered (as happens all the time, hence the continual security updates being rolled out regularly), would we then be required to have all our eID cards (which serve as our ATM, identification, voter’s, license, pension card all in one) replaced? 

And the idea that this will somehow help the reported 70% of Nigerians who do not possess a bank account seems a bit strange to me. MasterCard, along with Visa and other such financial companies, charges for its services, and I am not sure that it charges less than your local bank does. Who bears the cost of these charges? I doubt the government is so benevolent as to take that grenade on our behalf, so it stands to reason that the man living so far beneath the poverty line that he cannot afford to have a bank account would then be forced to pay whatever charges MasterCard deems appropriate for their “services”. And make no mistake about it, like all companies, they are interested in turning a profit. In fact, MasterCard has gotten into trouble before over their charge policies. They have been sued multiple times in America, Europe and other continents for artificially raising the fees charged for swiping their cards to make purchases and have had to pay out billions of dollars in settlement.

Another major problem with this card is that the Nigerian government is in control of it, and they intend to tie it in to your ability to vote, among a host of other things. The idea is that, by 2019, only those possessing these cards will be allowed to vote in elections. Therefore your identity (including biometrics) will be tied to your finances, which will in turn be tied to your vote. It is not difficult at all to imagine a situation where the RFID chip in your card will be remotely turned off at a convenient time to prevent you from voting or, if you have already voted the wrong candidate, prevent access to your finances. Remember, RFID enables wireless communication, so you do not even have to swipe your card, you need only be at a polling booth suspected of being an opposition stronghold. As a matter of fact, the RFID chip could be used to track your movements. I will be expanding on this, and other state control matters, in a subsequent article, but go ahead and start being afraid already.

Finally, there isn’t a security company worth the name which would advise combing all your valuable data in one place. Privacy International said it best, as quoted by ZDNet Security newsletter;

“Centralising and combining government databases makes it easy to link together pieces of information about an individual and build a near complete picture of someone’s life,” said the organisation’s legal officer, Anna Crowe.

“This type of capability is extremely invasive. The crucial issue is to put in place safeguards that guarantee fundamental principles of data protection are being respected, such as only using data for the purposes for which it was collected. This is extremely challenging for any country, let alone one that already faces significant challenges around corruption and ensuring respect for human rights.”

“National ID schemes can prove problematic in many respects, but commercialisation of such a scheme raises additional, and serious, questions,” Crowe said. “What does Mastercard and the bank’s involvement entail? Will data be shared for commercial gain? How can Nigerians be confident that their right to privacy is being upheld?

“When you register to vote you are doing so for a specific purpose — to be able exercise your rights — not to see your information handed on to a private company without your consent or knowledge.”

 In conclusion, the Nigerian government, through this program, might try to convince you that it has found a way to provide proper identification to the citizens and at the same time provide access to financial services for the millions who currently live without it, but this is simply not true. By insisting on a single card to carry your photograph, details, biometric data, financial data, act as your driver’s license, voter’s card, national ID card allowing you to cross borders, pension card and heaven knows what else (13 applets means potentially 13 different applications), the Nigerian government has, to borrow a term, created “one card to rule them all”. What they have done instead is place the entire populace under their direct control with the aid of foreign financial institutions, Wall Street and, by extension, the American government. The US may as well go ahead and annex Nigeria right now. But no, they won’t, because then they would have to give us visas.