Tunisia's parliament is discussing a bill to introduce identification documents, such as citizenship cards and passports, which store the holder's data electronically, raising concerns that the country lacks safeguards to prevent such information from being misused.
The bill put forward by the Ministry of Interior reintroduces an idea first proposed in 2015 that has faced strong opposition from activists and civil society organisations. They say the bill fails to provide legal and technical measures to protect people’s personal details and privacy.
The ministry has proposed replacing the existing laminated ID cards with electronic chip cards that can hold information on the holder, as well as their biometric data. The ID cards would be issued to every citizen upon turning 15 – rather than 18, as is currently the case – or, if parental approval is provided, upon turning 12. The cards would no longer mention the holder's profession or the name of their spouse.
The aim of the proposal is to move towards a more secure system for storing Tunisians' personal data to prevent fraud and identity theft, the ministry said.
The ministry's first attempt to pass the bill failed because of a lack of consensus in parliament over data privacy safeguards.
The bill was reintroduced in June 2020, but was never passed, after President Kais Saied suspended the parliament in July 2021 and later dissolved it.
In a public debate on the bill last Monday, MPs once again asked Interior Minister Kamel Feki for the government provides legal and technical safeguards to ensure the protection of people's private data.
Mohamed Ali, vice president of the parliament's rights and freedoms committee, told The National MPs were seeking guarantees in the law to protect citizens' personal information.
“The most important point is to provide safeguards to protect Tunisians’ personal data from misuse and any potential hacking,” Mr Ali said.
However, he supported the goal of introducing biometric IDs to prevent theft and fraud.
Since 2012, authorities have regularly announced uncovering networks that falsify passports, bank details and even birth certificates. In November 2021, prosecutors said seven people were arrested on suspicion of selling fake Tunisian passports and IDs to Syrians and people from other countries to enable them to travel and join ISIS
“Unfortunately, in the past 10 years there have been major problems due to the infiltration of Tunisia’s [security] systems that led to the falsification of documents which logistically support terrorism,” Mr Ali said.
“We cannot discuss terrorism without speaking about security breach, and where does that come from? It comes from the breach of our systems.”
What is at stake?
However, activists and civil society organisations say security concerns do not override the need to protect citizens' privacy, and that measures suggested so far, such as allowing state-affiliated bodies like the National Personal Data Protection Instance to supervise the implementation of the law, are not enough.
Cherif El Kadhi, a cyber security expert and Mena region policy analyst at Access Now, a digital rights advocacy group, told The National that gathering all information on citizens in a single database was a risk in and of itself.
It would not only provide the state with the tools to further police its citizens, he said, but the database may be hacked and the details leaked or sold on the dark web.
“A biometric database is the biggest risk and violation of private data,” Mr El Kadhi said.
The dark web, a part of the internet accessible only through special software that enables its users to remain anonymous and untraceable, is notorious for illegal activities such as the sale of personal data.
The US-based cybersecurity company Resecurity reported in October last year that hackers had accessed the personal data of more than 800 million Indians from India’s biometric ID system, Aadhar. The data, including names, phone numbers, addresses and passport details, were put on sale on the dark web, the report said.
Mr El Kadhi said a biometric identity system also posed the risk of greater surveillance by both the government and private entities, "such as the use of facial recognition tools to monitor people’s movements through street surveillance cameras”.
“Even when there are legal safeguards mentioned in the law, there are still no guarantees that this would not happen in real life,” he said.
In November last year, the online media platform Disclose revealed that despite having progressive personal data protection laws, France's Interior Ministry had secretly been using Israeli facial recognition software called Briefcam to monitor citizens' movements since 2015.
Mr El Kadhi called for an update to the country’s 2004 personal data protection law, which created the National Personal Data Protection Instance as a monitoring body but gave it limited powers.
Mr Ali agreed that it was necessary to strengthen the body's powers, and said the parliament would work on this before passing the bill.
The introduction of electronic ID cards would also cost the state money at a time when Tunisia is struggling with a public funds deficit.
Mr Ali said the project's estimated cost was only about $200,000, but Mr El Kadhi said implementing a biometric ID system would cost the state at least $19 million.
Safety or convenience?
With biometric passports becoming the norm in many countries, Tunisians are torn between following the rest of the world and maintaining the safety of their personal data.
Mohamed Anoir El Baina, a student affairs adviser who holds dual Tunisian-Moroccan citizenship, said the move would have both advantages and risks.
"I do not personally trust the level of security that our online servers have; there is always the risk that our personal data would be stolen and leaked overnight," Mr El Baina, 28, told The National.
However, the existing cards also carry such risks, he added.
"Tunisians have to give a copy of their ID whenever they want to buy even the most basic thing, such as getting a SIM card. People also lack awareness; it's not just the state's fault."
Despite the introduction in 2004 of a personal data protection law that says Tunisians should not provide copies of their ID cards, and must only share the three last digits of their ID number, businesses still demand copies from customers.
"There could be some form of protection through this new card, since it would only be read through special devices that not everyone will have," Mr El Baina said.
He said his Moroccan ID was a good example of the advantages of biometric cards.
"My Moroccan ID card has spared me a lot of effort while going through administrative procedures," he said.
"I can use that card's number, which is also encrypted with a four-digit password, to check on my accounts online, order stuff and pay bills."
The Tunisian bill also proposes a four-digit password for ID cards, but does not say what it could be used for.
