By Kim Mai Tran & Audreyna Tjiptardjo —

Southeast Asia is home to a booming digital economy and rapid mobile growth. With about 400 million users among ASEAN’s total population of 630 million, the region’s digital users are more numerous than the United States. Internet connectivity on the consumer side via a home, fixed line, or mobile data has reached a majority of the population. Social media use is on the rise with over 360 million users according to a 2019 Google, Temasek, and Bain & Co report, a number that has increased by around 34 percent year on year. With so many people online, digital identity is quickly emerging as a key issue for Southeast Asia’s digital economy, with privacy and cybersecurity concerns proliferating. Given the current lack of good data governance in Southeast Asia, threats abound and malicious actors could use exploited data to harm both individuals and societies.

Digital identity is best defined as a collection of stored identity attributes, including biographic data such as name, age, gender, and address as well as biometric data such as fingerprints and facial photographs that are used for electronic transactions. It is necessary for social and financial inclusion, access to government benefits, and it facilitates trade, exchanges, and e-commerce. There are two types of digital identity: first, an imposed identity by the state or proxies of the state. In Indonesia, for example, the state issues an electronic resident identity card — the e-KTP — that contains biometric data and is used for the issuance of passports, driving licenses, and land ownership certificates. Second, a de facto identity, created specifically for or by the user, commonly by private actors, by relying on the user’s primary identity. Examples of de facto identities include email addresses and social media accounts that serve as a user’s digital identity.

Both forms of digital identity are directly or indirectly regulated by governments. As government -issued identity, imposed identity is directly regulated by the state through laws and regulations. De facto identity regulations are set by private agents but are, in turn, subject to government regulation and rule of law. Most ASEAN member countries have implemented data protection and data sovereignty laws and regulations. In 2018, Vietnam enacted its controversial Law on Cyber Information Security under which the state has the power to request users’ personal data that are suspected of subversive activities. As for de facto identities, fintech companies in Indonesia have to maintain users’ personal data in accordance with regulations, such as the Ministry of Communication and Informatics Regulation No. 20 of 2016 on Protection of Personal Data in Electronic Systems (MoCI 20). MoCI 20 protects personal data that exists and/or is stored in an electronic system. In doing so, it requires all electronic system operators to formulate internal regulations for data protection.

Digital identity also has the potential to benefit society, including as a tool to reduce inequality. As of 2018, over 65 million people in Southeast Asia lacked a recognized form of identification and can be denied government subsidies, healthcare, financial services, job opportunities, and property as a result. If implemented correctly, digital identity could unlock economic and social opportunities, likely supplanting traditional forms of identity in the next decade. To date, five out of the ten ASEAN countries–Indonesia, Malaysia, Singapore, Thailand, and Brunei– have digitized the foundation of their identification systems. Cambodia, Laos, and Vietnam are conducting pilot digital identification programs; Myanmar and the Philippines have featured digital identity on the list of their national priorities. In all ASEAN countries but Singapore and Cambodia, digital identifications are or will be free.

However, digital identity and its derivatives pose potential threats to civil rights and privacy if they fall in the wrong hands. ASEAN countries are more vulnerable to cyber attacks due to underdeveloped cybersecurity infrastructure or lack of adequate law enforcement. This cyber vulnerability carries significant risks for the safety and protection of digital identities. Earlier this year, employees’ email log in information in several government agencies and educational institutions in Singapore such as Ministry of Education, Ministry of Health, and National University of Singapore have been listed online for sale by hackers.

Akin to physical forms of identification, there needs be a cohesive system behind digital identification regulation. There is a risk that ASEAN countries will not adopt standards that will ensure consumer data protection and regional interoperability. Currently regulations vary dramatically in terms of development. Regionally, ASEAN countries have a general legal framework on data protection under the ASEAN Framework of Personal Data Protection in 2016. Singapore, the Philippines, and Malaysia are the most developed, each having their own commissions dedicated to personal data protection. Indonesia, Thailand, and Myanmar are currently in the process of formulating more detailed personal data protection regulations. Data protection in Vietnam and Cambodia is regulated under their general legal framework on telecommunication and cyber security. Meanwhile, Brunei and Laos have yet to formulate comprehensive legislation on privacy and personal data protection.

But beyond cybersecurity and commercial exploitation concerns, misuse of digital identity presents its own challenges. Instead of benefiting society, digital identity could be used for undesirable purposes by governments (data misuse and manipulation) directly affecting the safety and rights of people, enabling them to disenfranchise citizens, or circumvent rule of law. Moreover, China’s increasing control over considerable amounts of data in Southeast Asia through vulnerable hardware or exposed software poses strategic risks for ASEAN countries adopting digital identity-forward policies.

Furthermore, as the main issuer of digital identification, governments have the power to include or exclude certain groups of people, whether because of their ethnicity, social status, or on the basis of gender. For example in Myanmar, for over 30 years, the Rohingya have been denied a National Registration Card (NRC) and thus have been stripped of their citizenship, voting rights, access to education, jobs, and healthcare, leaving 3.5 million of them on the margins of society, limiting their participation in elections and access to basic human rights. As the Myanmar government replaces its NRC with Smart Cards, the issuance of such cards is still an uncertainty for the Rohingya. The Rohingya Project is attempting to solve this issue by creating digital identities for the Rohingya using blockchain technology.

Digital forms of identification and digital identities are a critical part of the expanding and transformative digital ecosystem in Southeast Asia, providing unprecedented opportunities to financial, social, and health services for populations on the margins. However, it is important that governments consider the risks alongside the opportunities and carefully develop regulations and controls.

Ms. Kim Mai Tran is a Research Associate with the Southeast Asia Program at CSIS. Ms. Audreyna Tjiptardjo is a research intern with the CSIS Southeast Asia Program.