The States of Jersey announced on Friday 23rd March 2018 that they had selected mobile apps from a UK-based startup, to be used as official government digital IDs. The startup, named ‘Yoti’, uses a system that requires the installation of closed-source, proprietary iOS or Android apps. This raises significant privacy and security concerns, and it means that the apps’ functionality is a secret and cannot be independently verified. This is especially worrying when you consider that digital IDs will be used for government elections in the coming years.
Jersey’s e-government team have been studying Estonia’s adoption of technology for the past few years, making fact-finding visits to one of the world’s leading digital jurisdictions. Estonia’s government published their online voting source code online way back in 2013.
Fast-forward to 2018 and it appears that Jersey’s representatives learnt little or nothing as they have abandoned the Estonian open-source model and, according to BBC Radio Jersey Political Reporter Chris Rayner it appears that this has had regrettable consequences, and our relationship with Estonia has soured.
Jersey’s politicians fell for the cheap inkjet printer sales model, where you get a printer and starter cartridges for a low upfront cost, but you spend a fortune on the hidden long-term cost of refills.
The ID verification service will be accepted by government as a means of identification from May, and will be promoted for islanders to use with online government services as they become available. - gov.je website
I asked Yoti on social media if they would release their source code and they declined, stating that they “undergo third-party security audits”. I then asked for a copy of the audits and was told that the “reports are not publicly viewable”. It is Yoti’s right to set these restrictions, however they do require that the citizens of Jersey rely solely on Yoti’s marketing claims, without any additional proof.
This arrangement might be OK for a simple game I play on my mobile, but it is completely unacceptable for something I need to rely on down at the Taxes office or at an election polling station. I am expected to trust this mystery app to record my passport info and ID card. Reviewing the permissions their Android app requests, I see it wants access to my contacts, camera, and microphone audio. Who is Yoti and how are they storing and processing my data? Precisely what does their app do with personal data stored on my mobile? The answer to these questions is unknown and cannot be learned until the source code is released.
The Open-source Model Explained
Open-source software’s source code is released to the public and its license permits anyone to study, change, and distribute the software to anyone and for any purpose. This means the software can be independently evaluated for quality, reliability, and integrity. Researchers may verify that a particular app does exactly what it claims, and stored data cannot be tampered with or manipulated in secret. You can see the appeal, especially for something that you will someday use to cast your vote and elect government officials.
Proprietary apps such as those from Yoti are built with computer code which is kept secret, and it lacks accountability. To use it you must trust the marketing claims of the supplier, and you have no way to verify how it actually works. Following the Estonian model and using open-source software also means that digital ID apps can be adapted and further developed as new features are required.
The same week the digital ID announcement was made, news broke of a call to freeze billions of pounds of Russian assets held in Jersey and other offshore territories. Leaders of U.S. intelligence agencies have already warned that elections are ‘under attack’ by Russian operatives and it does not take much foresight to understand that manipulating elections in Jersey is another attractive target, especially as UK-Russia relations deteriorate after the recent chemical weapons attack in London. (In fairness to Russia, I have no doubt that American and British interests have worked to influence elections in Russia as well.)
To install the Yoti apps you must create an account online with Apple or Google, and this means you are required to disclose personal information to these third parties and ‘agree’ to their varying Terms and Privacy Policies. Neither company even recognise Jersey as an independent jurisdiction. See for yourself, here is Apple’s “Choose your country or region” page and here is Google’s list of “Supported locations for distribution to Google Play users”. Jersey is not even listed.
The States of Jersey have once again outsourced an important service to a third-party because they are incapable of doing it themselves. They can’t even ask local developers to collaborate and add features like they did with the bus tracker, it’s a complete ‘black box’.
As an IT consultant focussed on privacy and security, I regularly do presentations for the public, teaching them how to secure their data and devices. I stress the importance of checking account settings, carefully reading the ‘fine print’ in agreements and opting-out of data sharing whenever possible. This is especially true for apps which request access to your contact and locations info.
Therefore it should not come as a surprise that I think the people of Jersey should avoid using Yoti’s apps and they should not trust Yoti’s secret app code with any sensitive or personal data. Keep using your driving license or passport for now.