Technology in Society 67 (2021) 101734

Contents lists available at ScienceDirect

Technology in Society
journal homepage: www.elsevier.com/locate/techsoc

Cybersecurity through the lens of Digital Identity and Data Protection:

Issues and Trends
Mary-Jane Sule a, *, Marco Zennaro a, Godwin Thomas b
a
The Abdus Salam International Centre for Theoretical Physics, Trieste, Italy
b
University of Jos Nigeria, Nigeria

A R T I C L E I N F O A B S T R A C T

Keywords: The use of a secure and robust digital identification system that is capable of protecting privacy is an essential,
Digital identity reliable and user-friendly element for a strong cyber resilience strategy and is a source of new business oppor­
Secure cloud platforms tunities and applications for banks, private sector with a return on their investment.
Digital ecosystems
The march towards Digital Identity is well underway therefore, focus should be on both adoption and adaption
Cybersecurity
National security
of the new structures and regulations. These are needed to govern the associated services and transactions as well
Economy as establishing laws that enforce penalties for violations.
There is no doubt then that more and more entities and institutions would move to the cloud. Security
challenges affecting the cloud may not be new but the mode of addressing them would be different. The authors
develop a Data Colouring technique for securing data processed or stored on both cloud and non-cloud platforms.
The technique combines Public Key Infrastructure (PKI), concatenated fingerprints and digital watermarking.
Using this technique, data can be secured at creation or during storage and remains secure during processing.

1. Introduction illegal disclosure or access by unauthorised users or entities. Therefore,

Understanding Cybersecurity starts with the basic assumption that in
cyberspace (a generic name for all online or electronic platforms) we all
are attractive targets for attacks by cyber criminals. The intended objects
could be our money or data and also ranges from usernames, passwords,
documents, emails, online presence among others. Most cyberattacks
are generic and can happen to anybody although personalised attacks do
occur. One basic and common enabler of cyberattack is human error.
These enablers could be very simple as trusting the electronically sent
instructions in a phishing email, to as complex as criminals posing as
clients, vendors or even employees or professionals with an aim of
gaining access to your assets (both financial and others) [1]. There is
therefore the need for computer security against these attacks.
In the fields of IT and computing, computer security involves the
protection and fortification of computing resources, data integrity,
limiting unauthorised activities, keeping malicious users out, and of
paramount importance also maintaining and enforcing data confiden­
tiality. Therefore, for any system to satisfy the security requirement, its
resources have to be available for legitimate access and use in a timely
and consistent manner while avoiding exposure to malicious destruction
the automated system needs to be protected to preserve its integrity,
availability and confidentiality [2].
According to [3], every online user leaves a digital trace of his/her
personal data and identity on the Internet. Some of the activities we
engage with online are not secure and we have cyber criminals and
fraudsters looking for new ways to obtain people’s personal data. As
cyber space security professionals or users it may be ideal to try and
prevent any kind of breach to the system but it’s more critical to try to
identify any breach and mitigate its damage as quickly as possible to
protect the system and data as even the attackers are always changing
their methods.
Globally, Identity plays a major role in our everyday activities, it is a
complex subject. Establishing identity usually requires a complete
Ecosystem that involves a process of verification of what a person knows
uniquely (e.g. username, password or pin) and what the person has (e.g.
cell-phone number or token generator) in order to allow that individual
to complete or be denied completing a transaction/process.
This paper examines three main principal aspects of cybersecurity
that involve Digital Identity and Data protection. These aspects are -
identification of several immediate threats, then a brief overview of

* Corresponding author.
E-mail addresses: msule@ictp.it (M.-J. Sule), mzennaro@ictp.it (M. Zennaro), thomasg@unijos.edu.ng (G. Thomas).

https://doi.org/10.1016/j.techsoc.2021.101734
Received 19 April 2021; Received in revised form 17 August 2021; Accepted 4 September 2021
Available online 22 September 2021
0160-791X/© 2021 Elsevier Ltd. All rights reserved.
M.-J. Sule et al. Technology in Society 67 (2021) 101734

current trends and finally considers several strategies (with examples) nations in pursuit of access to services if policy makers and government do
for the effective use of secure digital identities for national development. not act.
Digital Identity Ecosystems depends on computer or some digital
Another important threat in Digital Identity Ecosystems is Privacy
systems infrastructure. Due to these infrastructure challenges in Nigeria
which will be discussed in Section 5. This section has presented three
and by a large extend Africa, the scalable infrastructure solution to
clear and immediate threats that relate to Digital Identity Management
provide cost savings (reduced cost) and effective service in the Digital
in Government and Cybersecurity. Demand for Digital identification and
ecosystem is the Cloud Infrastructure Technology. Even though Cloud
identification services is rising especially at these changing times, as it is
infrastructure is shared, and users may have some reservations in
well-known, a critical problem in Cyberspace is knowing with whom
sharing sensitive resources, the use of Data Colouring technique among
you are interacting.
the stakeholders in an ecosystem would further improve security and
The next section presents a brief overview of current trends in Digital
provide for traceability in the effect of any tamper.
Identity with some examples of pitfalls Nigeria and indeed any gov­
Data protection remains a challenge among computing infrastructure
ernment needs to avoid.
and digital systems. Data Colouring technique allows stakeholders and
users of digital systems to leverage the strengths of Public Key Infra­
3. Current trends in Digital Identity
structure (PKI), digital fingerprints and digital watermarking to secure
data at creation or during storage while still remaining secure during
This section briefly discusses current trends in Digital Identity
processing.
including international standards, with examples from Nigeria and other
nations.
2. Immediate threats
Why then is Identity whether physical or digital in nature important?
Why is Digital Identity one of the most significant technologies in the
This section presents three prominent cybersecurity threats that are
world? [10]. To answer these questions, we need to understand what
relevant to Digital Identity. During the Covid-19 pandemic, more en­
identity is, its role in Cyberspace and the United Nations’ Sustainable
tities (institutions and organisations) were forced to embrace the Cy­
Development Goals (SDGs) transformative promise of 2030 agenda of
berspace and transited or shifted into the digital space to carry out
’leave no one behind’ (LNOB) [11].
various operations and transactions. This implies we now require radi­
Identity according to [4,12,13] whether physical or digital is a
cally different and more robust identity systems, as our existing systems
collection of individual information or attributes that describes an en­
no longer serve or are inadequate to manage the current security and
tity, and it is used to determine the transactions in which the entity can
privacy challenges that come with the "new territory".
rightfully participate." Identity is "what makes us unique and identical to
Before the pandemic, most of our identity verifications (systems and
others.
processes) not only in Nigeria have been based on face-to-face in­
According to the International Organization for Standardization
teractions and also on physical documents and processes [4].
(ISO) and the International Electrotechnical Commission (IEC) entities
This first threat highlights the inadequacies of existing infrastructure, may be a person, organization, software application, device, SIM card, a
processes and procedures for robust identity verification online. passport, a network interface card, service or even a website. It further
describes attributes as a characteristic or property of an entity. Attri­
Now that the world and the "normal" way of life is gradually
butes can be your Name, username/password, email, identification
changing and becoming more digital, so also would crime that was once
numbers, date of birth phone number, biometrics, identification number
rooted in the "physical world" start to become evident in the "digital
among others while activities can be purchase history, search inquiries,
world". Unlike in the physical world, tackling crime in the digital world
Facebook/Instagram posts, etc [12,14].
is more challenging because of identity verification issues and its fre­
A Digital Identity will give the citizens a single secure way of using
quency of occurrence; attackers are also continuously changing their
services online. Digital Identity includes from policy to technology and
methods of operations.
systems. Digital Identity system according to [11] has the same basic
In recent times, data breaches and identity theft on a larger scale
structure as a physical identity system, but it’s attribute’s storage and
have become common. Every hour there is a report of breaches
exchange are entirely digital, usually in a computer or digital systems.
involving identity theft, stolen intellectual property, financial fraud and
Thereby removing reliance on physical documents and manual
even divulged military and diplomatic secrets. Most recently we have
processes.”
had attacks on National Research Institutions as recently as in May
Since Digital Identity can take different forms and it is already a day-
2020, "ARCHER" a research supercomputer in UK was attacked. This was
to-day reality in the way citizens and stakeholders interact, it is
possible through the misuse of some user accounts thereby affecting
important for the National policy makers and government to establish
access to the service [5,6].
laws and policies that govern the extent to which data can be consoli­
In July 2020, CNN also reported about an alleged Russian cyber­
dated, how states can interconnect and anticipate the needs of its citi­
attack on Covid-19 vaccine research institutions in UK, US and Canada
zens. According to [13], 1.1 billion people on Earth cannot securely
[7]. In June 2020, the Australian Prime Minister said malicious activities
prove their identity and are therefore deprived of education, health
have increased over months although no major personal data breach was
services among other social benefits. The UN’s SDGs goal intends to
recorded [8].
allow every world citizen by 2030 to exercise their "fundamental human
This second threat purports on how a lack of a robust and comprehensive rights" to services with minimal hassle as much as possible.
Digital Identity framework enhances criminal activities online. A unique Digital Identity, could enable citizens perform a number of
activities after authentication by a combination of any of the following
Using Digital Identity, Nations can build a comprehensive profile on attributes: passwords, pins, smartcards, tokens, biometrics, etc. This is
the political, educational and economic behaviors of their people, the way the whole world is going, we either join the bandwagon at our
thereby aiding the Nation in planning and addressing the needs of its pace or we are forced to perform painful jumps or shifts later. Like we
citizens [9]. have seen in the case of the Covid Pandemic where the educational
system was disrupted, and everyone had to go online. Nigeria already
The third threat is the divide between citizens on one hand and parlia­
ment/government on the other hand. The borderless nature of cyberspace has an alarming number of out of school children/youth in the World,
with one (1) in every five (5) out of school being in Nigeria [15]. It was
allows Nigerians living in Nigeria to become digital citizens of other
surprising then that in a particular Nigerian State, the State Government

2
M.-J. Sule et al.
was going to sanction schools that were having remote/online classes.
This is unfortunate and counterproductive (this is not to judge the de­
tails of the alleged flouting of a Covid protocol). We should note that
remote online education is here to stay, so instead we should see it as an
opportunity to teach citizens, the children and other students about
Digital Identity safety. The World would move despite particular
country’s peculiar problems.
According to Ref. [16], a Digital Identity infrastructure while it is an
enabler of more efficient service for the citizens is also an enabler of
financial gains for the governments and can act to limit potential leaks in
government benefit programs.
The Nigerian Digital Identity system should long have been func­
tional notwithstanding and the Government need to fully deploy a
Digital Identity Ecosystem that the citizens would trust for it to be
successful.
In the Canadian Province (State) of British Columbia, Digital Identity
cards are used for authenticating citizens during access to health ser­
vices and other public services online. In countries like New Zealand,
businesses are assigned a unique Identity number that allows for oper­
ations such as payments to be done electronically and since anyone can
verify electronically the business data, it is easy for the public to verify a
legitimate business. In addition, it is also expected to save the govern­
ment of New Zealand $60 million annually [16,17]. This should be
similar to the code obtained from the Nigerian Federal Inland Revenue
Service (FIRS) and as such should result in financial savings for the
Country.
In the UK, “GOV.UK Verify” [18] is a government programme that
aims for citizens and residents to use verifiable single digital identities
across both private and public sector services online. The Director of
Digital Identity at the UK Government Digital Service says "people will
rely on a robust Digital Identity Ecosystem in order to access critical services.
They also need to know their data is safe and being used in the right way. And
they expect a level of simplicity that they can navigate and understand". This
is very true.
The UK Government system allows a variety of identity providers to
verify the person’s identity. Among the identity providers are the Post
Office, Banks and Private Identity companies. GOV.UK Verify works for
anybody (not only its citizens) who has a UK address [19].
This paper only considers selected initiatives in some European
member states, it doesnt consider the exhaustive list of all European
member states initiatives. It also doesn’t consider the implementation of
the eIDAS and portability of Digital Identities for citizens when
migrating from one European country to another.
Digital Identity Ecosystems are often implemented around Single
Sign On mechanisms that allow the use of just one identity to authen­
ticate and authorize access to various systems integrated via a federa­
tions of different organisations or institutions. While various
mechanisms, protocols and frameworks exists for Single Sign On that
focus on the use passwords; including Shibboleth and Security Assertion
Markup Language (SAML) 2.0 other standards focus on non password-
based systems including OpenID and Fast Identity Online (FIDO).
However, more research work is required for Single Sign On systems to
safely handle bio-metric authentication in this regard.
4. Comprehensive Digital Identity ecosystem
This section presents key strategies for the effective use of Digital
Identity for national development. An Ecosystem according to [20] is
defined as the complex of living organisms, their physical environment and
all their interrelationships in a particular unit of space, which can be further
characterised.
Digital Identity includes everything starting from policies, to pro­
cesses through to the technology and systems [21]. Thus, according to
[21,22], a Digital Identity Ecosystem is made of and can include government
agencies/institutions, academic institutions, private and commercial sector
businesses, individuals and the technology systems that work together to
3
Technology in Society 67 (2021) 101734
deliver a secure way to verify attributes of an entity’s identity online to access
services. A Digital Identity Ecosystem can be created by any of these
participants/stakeholders mentioned and users can have the choice to
pick from any of the public or private sector ID providers as seen in
“GOV.UK Verify”.
The Digital Identity Ecosystem aims to build the connections be­
tween the people and the Institutions with an intent of improving per­
formance and trust among its participants through data protection law
and policies. Like any identity system, it is essential that broad data
protection laws and policies be in place to guarantee and enforce the fair
and just use of any Digital Identity System. A Digital Identity Ecosystem
would eliminate the need for citizens or users of government services to
always visit the government office physically with identity documents
for verification.
The author in [22], advises that the Digital Identity Ecosystem needs
to be created without giving up a citizen’s rights to informational pri­
vacy and autonomy. If possible, within a Digital Identity Ecosystem,
shift power to make decisions closer to the citizens rather than the au­
thorities thereby protecting individuals from harm or state surveillance.
The Digital Identity Ecosystem needs to be based on right access,
transparency, interoperability, consent and user protection among
others.
The trends presented in section 3.0 include system design support for
multiple providers and stakeholders. This provides resilience against
failure of a single centralized point causing a national outage that can
affect all financial, private and public sector operations. Even when a
good planned infrastructure would mitigate the risks that a poorly
planned design system may cause, users of the system need to be
instructed to exercise control while using the infrastructure with im­
mediate enforcement for violators of the services. A good Digital Identity
system, aside its economic value to the country, stands to also benefit
and protect the public from harm and loss or theft of data [23].
Nigeria still has its Digital Identity Ecosystem in its infancy, so this
may be a good time to improve it. Let us consider the Digital Identity
Ecosystem of some countries - Australia and Italy due to some similarity
with the Nigerian setup.
The Australian Government in its quest to provide a robust system
created the Australian Digital Identity Ecosystem based on the following
[21],
● it is optional:
● it is federated:
● it has a central government identity provider (similar to National
Identity Management Commission [NIMC])
● it uses facial verification service (from a security point of view, other
forms of identity verifications are necessary)
● It represents a whole-of-economy solution
Creating and using Digital Identity in Australia remains voluntary
and a matter of personal choice. This is more human rights friendly
when compared to it being mandatory. The Ecosystem is made up of
government agencies, the private sector businesses and others working
together as a federation in a secure way to prove a person’s identity
online and allow access to online services.
As the system is voluntary and consent is sought at every step these
provide citizens with some level of Privacy. The Australian Digital
Identity Ecosystem was built with Security embedded in the system
design and in consultation with other stakeholders. May be the reason
the Country was able to detect the rise in malicious attacks. An Oversight
Authority governs the operational assurance of the system thereby
enforcing Integrity.
Just like the Australian Government, the Italian Government too has
worked hard on its Digital Identity System. In 2016, it started to roll out
the Italian electronic Identity (eID) card (also called Carta Identita
Electonica - CIE) to serve as both a means of identification (to certify
the identity of the holder) and authentication (for online e-Government
M.-J. Sule et al.
services). The card is contactless and among other details contains the
fingerprints and a digital version of the photo in addition to an option to
provide consent as an organ donor. Consent is one great attribute of a
good Digital Identity - it means the person knowingly registered and is
fully aware of what personal data was captured and how it would be
used. The eID is used to unequivocally certify the identity of citizens and
the only recognised Identity Provider is the Italian Interior Ministry. It is
a scheme based on the National Identity card [24]. It was deployed after
another IDS called Sistema Pubblico di Identità Digitale (SPID). SPID is
the Italian identity system that enables both citizens and businesses
access public administration services online. SPID supports multiple
Identity Providers and Service Providers; it allows access to at least one
service provided by a public sector body in Italy [25].
These two Identity systems seamlessly ingrates with the European
Union’s eIDAS to allow Italian citizens access with their SPID credentials
and with the CIE online services of the other Union States that have
created their national node integrated to the eIDAS. For the purpose of
this article and as it relates to the Nigerian system, the authors are
reflecting only on the eID.
The benefits of this card to Italy include:
Boosting efficiency and economic development for the country,
as over 70 countries engaged in a national eID scheme it would allow for
easier travel experience and protect against identity fraud.
Digital growth as there is a boost in the usage of technology and an
intensive and secure use of digital exchanges to stimulate economic
growth and social cohesion [26].
Though the main challenge with the Italian eID card process is its
long waiting time to get an appointment at the registry, to solve this
issue an app was launched to help reduce the waiting times by managing
the preliminary stages of the request via the smartphone.
The Nigerian Government launched its National ID card in 2014 by
the then President Jonathan Goodluck. Among its functions the card is to
act as an electronic (digital) ID that would hold the holder’s Name,
Address and National Identification Number (NIN) and also serve as a
Biometric eID that supports fingerprinting (it contains the 10 finger­
prints of the holder). This card is to serve in subsequent applications like
eVoting, eHealth among others though a lot of this remains to be
implemented and despite the figures of those registered a lot more cit­
izens have not been registered or have access to it.
In 2019, the Nigerian Government through the National Identity
Management Commission (NIMC) launched its Digital Identity
Ecosystem among its intention is the collection of citizens’ biometric
data nationwide within the shortest time possible [27], though it may be
worthwhile to assign a cap to "shortest time possible". The Nation needs
to implement specific laws and policies enforcing technological upgrade
and Data protection among its various stakeholders. This is a great start
for the Steering Committee for the Nigeria Digital Identity for Development
Ecosystem Project that has as one of its terms of reference the "review of
the legal and regulatory framework for Digital Identity development".
Given the stated challenge with Italian eID process, the use of cellphones
(not only smartphones) for answering preliminary questions, booking
and managing appointments would reduce waiting time for users at
NIMC’s office and improve users’ experience. This could also be applied
to many other government services.
4.1. Digital Identity ecosystem and its potential benefits
Improved efficiency: According to a World Bank article of August
2020 [23], we further see practically how some countries during the
pandemic using their Digital Identity system, could reliably identify
vulnerable groups that needed emergency cash transfers. The Thailand
government could filter out those eligible to receive assistance from
other schemes and the Indian authorities could make quick payments to
more than 200 million women as there was an improved process linking
the individual’s account to their digital ID.
This may have been a great tool for the Nigerian Ministry of
4
Technology in Society 67 (2021) 101734
Humanitarian Affairs, Disaster Management and Social Development.
Reduced fraud: It is possible to reduce Identity Fraud by using a
highly trusted, secure and accurate Digital Identity Platform as fake IDs
and documents that may easily get past human inspection, scanners and
other basic online Identity solutions will fail the digital scrutiny. Ac­
cording to [28] 41% of all frauds are Identity Fraud, 84% of identity
fraud are committed online, the recent case involving Ramon Olorunwa
Abbas (aka “Ray Hushpuppi” and “Hush”) is one example of a cyber
fraud and criminal impersonation involving identity. With the right
technology, global fraud can be minimised, analyses of transactions of a
given user can be used to create a likely digital profile of the user - a
possible way the Dubai Government was able to successfully stop Ramon
Olorunwa Abbas.
Reduced administrative cost and improved efficiency: With a
robust secure Digital Identity Management infrastructure, there would
be no need to deploy multiple expensive systems or deploy various
support and help desks to carry out mundane tasks. This would then
allow the staff driving these systems to focus on delivery of efficient
services instead.
Reduced operating cost: The public and private services would
definitely benefit from a reduced operating cost, as there would be no
need to have as many people performing identity verification in person.
Improved security and enhanced privacy: The federated deploy­
ment of the infrastructure provides for collaboration between the gov­
ernment agencies in the state and local governments and even with other
providers on the platform. All providers would have to be accredited
against a minimal security awareness level thereby contributing to the
increased awareness on all levels and making sure there is improved
security where it is lacking.
5. Security issues and Privacy (Digital Identity and Data
Protection)
Even as Digital Identity is critical for trust and innovation while
using the Internet, the Citizens also have concerns about privacy, human
rights and security [29]. How about the citizen’s right to privacy and
minimal exposure of personal data?
Allaying the fears of citizens and users is very vital in the develop­
ment of a robust and successful Digital Identity Ecosystem. If the
Ecosystem is built as stoutly as it should, it would also address the issue
of ownership and control - it is very vital to fulfil this requirement, as
anyone who owns or controls your identity data could use them to
impersonate you and carry out malicious activities.
The Digital Identity Ecosystem needs to fulfil the "only-I-could-use-
this" aspect which in turn breeds trust and accountability among users.
Fig. 1 shows an end-user trying to access an arbitrary service within a
Digital Identity Ecosystem. The process begins with a request from the
end-user (a citizen) to a service provider (e.g., FIRS). The service pro­
vider then triggers an authentication request to an Identity Provider,
that has been selected from a government accredited list. The end-user
authenticates directly with the identity provider (the service provider
wouldn’t need to know anything about the end-user’s identity
credentials).
The Identity Provider informs the service provider of the outcome
from authenticating the end-user. For a positive outcome, access to the
needed service is granted while for a negative outcome, access to the
requested service is denied.
End-user access to Digital Identity based service could be over the
web, telephone or mobile application (app), the different options
available mean that even the citizens in the rural communities can ac­
cess and use this service.
In Belgium, the Citizens rely on an app that enables them to know
who has accessed their data and for what reason, citizens can access the
app only using the National electronic ID Card.
NIMC is also developing an “innovative” mobile app that allows
citizens to log in with their National Identification Number (NIN) and
M.-J. Sule et al.
Fig. 1. End-User Access to Digital Identity based Service.
registered phone number. Preliminary activity (testing) shows issues
with privacy and data security as the app reportedly produced wrong
user data (belonging to someone else). It can result in a lack of trust in
the entire Ecosystem, although this can be resolved possibly through
Data-Colouring (Section 6).
5.1. Trust issues in Digital Identity Ecosystems
The ability for a user to trust any Digital Identity Ecosystem with
sensitive information remains its most herculean task. This is a very
important requirement of its full acceptance especially in some parts of
the world like Nigeria. Recent cases of massive expensive data breaches
of identity and information, has continued to emphasise the importance
of trust and how vital it (trust) is for the growth of Digital Identity [30].
An example like in the case of Cambridge Analytica that eroded trust in
online systems, indirectly affecting end-user’s resolve and trust of the
Digital Identity Ecosystem.
Countries like the United Kingdom and India despite their well-
meaning vision of implementing Digital Identity systems (the UK Na­
tional ID Card and the Indian Aadhaar Biometric ID.
Program) both failed because user trust was lacking. The systems
were seen to be highly intrusive, non-voluntary and even in the case of
India there were cases of security breaches leading to it being curtailed
by the Indian Supreme Court and an outright disbandment in the case of
the UK. Lack of user trust could have creeped in as a result of lack of
stakeholders input and mission, among other causal factors [31].
According to [22] Kenya’s National Identity System is beginning to
show early signs of poor identity and data practices. As it has extended
its initial mandate by amending the existing identity legislation to
enable collection of DNA from its citizens and foreign residents with no
corresponding overarching data protection legislation to protect in­
dividuals from abuse prior to the creation and use of a central DNA
registry. From previous studies, this path has shown to likely cause
potential harm and rejection of the system by the citizens Considering
that this information is public knowledge, there is no need for Nigeria to
repeat these costly known mistakes.
Trust is central to any Digital Identity Ecosystem as shown in Fig. 1, a
service provider trusts the Government accredited Institute as a valid
source of certified providers for both identity verifications and
5
Technology in Society 67 (2021) 101734
attributes. Also, a service provider has to trust that the identity provider
would authenticate the end-user correctly. The end-user has to trust that
all parts of the Ecosystem are functional to a high degree of security
adequate for maintaining privacy. That is, end-users have to trust that
the service provider would safeguard all personal data while equally
trusting the identity provider to safeguard his/her identity credentials
and trust that no single part of the Ecosystem would invade his/her
privacy, the so called ‘big brother’ effect.
The UK Government in its efforts to allay users’ fear of the "big
brother" approach, created its Ecosystem to include the Private Sector as
certifying companies. This way the Government eliminates the fears and
avoids any such accusations with more support from the users.
Who develops this Digital Identity database and application is also vital -
Is it a home-grown trusted entity or a foreign entity with allegiance to an
external government that may undermine National Data Protection Laws,
Government of Nigeria and its Citizens?
Is the captured Digital Identity vulnerable to abuse or can it be used
to stifle expression or political manipulation?
5.2. Human Rights and Privacy Issues
Even in a digital context, Human Rights is fundamentally about
allowing end-users to choose what digital information may be stored
about them, by whom and to whom it should be provided. Many times,
little or no attention is given to the question of “if the end-user wants
his/her data captured?”. Obtaining the response to this question should
be the basis for entry of user-data into any Digital Identity Ecosystem
alongside considerations about the purpose and use of the captured data.
The UN’s 2030 Agenda for Sustainable Development and its Sus­
tainable Development Goals (SDGs) central transformative promise of
“leave no one behind (LNOB)” suggests that in a highly technological
society where all services are only available via a Digital Identity
Ecosystem all citizens would lack alternatives to a Digital Identity. Is
today’s Digital Society not gradually eroding our rights to choose?
Digital Identity, as a building block of the modern society and
economy often include design elements that are outside the well-
established frameworks of privacy and data protection. The question
M.-J. Sule et al.
of end-user consent, ability to opt out and privacy in all areas should be
central in the design of a Digital Identity Ecosystem. Is the service pro­
vider or identity provider able to prove that the end-user’s privacy has
been maintained at all times?
While it is possible to change your passport, this does not apply to
biometric data. In this regard, data protection and its implementation
are needed to promote and respect the right to privacy even where there
is no constitutional right to it.
Another common issue is the abuse of the end-user’s consent within
the Digital Identity Ecosystem. Section 6.0 presents Data colouring as an
innovative solution that can be used to address this and other issues
discussed in this section. In the Data colouring process, unique colour
drops can be used to secure individual identity transacton chains. The
colour drops are built from a combination of digital identities of service
provider, identity provider and end-user as owner of the data as well as
the consented/intended purpose. Abuses are then easier to detect.
6. Cloud and Digital Fingerprints: A Proposal for the Nigerian
Digital Identity Ecosystem
There is no doubt that more and more entities and institutions would
move to the cloud. Security challenges affecting the cloud may not be
new but the mode of addressing them would be different. With the Cloud
infrastructure the added security solution would vary based on the
Cloud service model (IaaS, PaaS and SaaS) and the Cloud architecture
model (Private, Public or Hybrid).
The author while at Brunel University London, developed a Data
Colouring technique for securing data processed or stored on both cloud
and non-cloud platforms. The technique combines Public Key Infra­
structure (PKI), concatenated fingerprints and digital watermarking.
Using this technique, data can be secured at creation or during storage
and remains secure during processing.
While the work at Brunel University was successfully applied for
securing images and text files on generic Public clouds. As far the au­
thors know, this article is the first time data colouring is being applied to
secure digital Identity systems on any scale.
As earlier suggested, building Digital Identity Ecosystem using Cloud
Infrastructure is a scalable solution capable of handling millions of end-
users and services. In the context of a National Digital Identity
Ecosystem, the right government agency would be responsible for
running the platform (infrastructure). In the case of Nigeria, the Na­
tional Information Technology Development Agency (NITDA) could be
responsible for running such a platform for all providers (government
and non-governmental) while still allowing end-users to retain owner­
ship of their artifacts as Data.
6.1. Digital Fingerprinting
Digital fingerprinting ensures that different watermarks are
embedded in every copy of a distributed dataset (digital file) [32].
As discussed in Section 5.0, end-users are still not comfortable with
the idea of having a faceless entity host their data where there is still no
existing solution that allows the user to secure its data before uploading
on to the Digital Identity Ecosystem or while processing. Digital
fingerprinting solves this as data can be associated with an individual for
ownership, a service provider as a custodian and any other entity as a
consumer. In case of data loss or theft (by hacking), digital finger­
printing provides the ability to trace the point of theft or loss and also
detect changes or modification to the data.
6.2. Data Colouring
Data colouring may be considered as a special form of digital
watermarking, where fragments of the digital fingerprint known as
colour drops are distributed or spread out within the datafile. That is, the
fragments of the digital mark are not co-located or limited to a specific
6
Technology in Society 67 (2021) 101734
location or segment. Data colouring allows users to secure their data
using colour drops without the drops being visible [30].
Fig. 2 shows the data colouring process, where according to [33,34]
the colour drops are a combination of an “expected” value (artifacts +
consent) known only to the data owner (end-user), an “entropy” value
known only to an identity provider and the "hyperentropy" value known
to a service provider. These values are combined together to generate a
collection of colour drops that forms a unique colour that can uniquely
identify individual identity transactions.
Fig. 3 shows an overview of the processes within the proposed “Data
Colouring enabled Digital Identity Ecoystem for Nigeria”. As shown,
Data colouring is used to secure the key processes, specifically:
a.) The download of identity and attributes provider lists by a service
provider
b.) The exchange of attribute lists between a service provider and an
attribute provider
c.) The authentication request/response between Service Provider
and Identity Provider
d.) As well as the end-user authentication and consent.
Based on Fig. 3, taking three (3) Government Institutions as an
example - NIMC, National Population Commission (NPC), and Nigerian
Immigration Service (NIS). Deploying the proposed Data Colouring
enabled Digital Identity platform would meet - the needed minimum
scalability with high availability (based on cloud technology) and se­
curity requirements. It also allows NIS (or any provider) to retain
ownership of their databases or datasets by using data-colouring to
secure portions that are exchanged with NIMC or NPC, Similarly, NIMC
and NPC can use data-colouring to verify the integrity of portions of data
it receives.
Although not shown in Fig. 3, Data Colouring can also be used to
secure individual records within a database or dataset. The verification
of the data colours embedded in a record can then be used to prevent the
display of wrong records to an end-user as was the case with the testing
of the NIMC mobile app.
6.3. Other solutions and recommended mitigations
Although, solution for a successful deployment of a Digital Identity
Management cuts across different aspects - Governance and Technology,
the substance of the discussion here would most be around the deployed
Technology and "Personal Cybersecurity".
6.3.1. Governance
Globally, most countries have enacted the Data Protection laws,
Nigeria through the NITDA Act of 2007 allows the National Information
Technology Development Agency (NITDA) to develop regulations for
electronic governance and monitoring of the use of the information
technology and electronic data. This governance needs to cover or be
understood even in certain contexts such as environment and law
enforcement contexts. Structures need to be put in place for enforcement
of this governance especially as it relates to shared resources. Consid­
ering the scope of this topic/paper, Governance would not be exhaus­
tively discussed here, suffice to note it involves every stakeholder, it is
collaborative and very importantly, it is a vital aspect to be looked into
and implemented as it forms the basic founding block of any trusted
secure identity management system. A strong and comprehensive stra­
tegic cybersecurity framework needs to be developed, that would
enhance a response plan to cyber-attacks/events, and regulations that
need to clearly ensure data privacy and security.
6.3.2. Operations
Most attacks that have been carried out have always been socially
engineered to prey on people’s fears, habits and, ultimately, their per­
sonal details. In this "Covid-19 era" and beyond, it is important to refocus
M.-J. Sule et al. Technology in Society 67 (2021) 101734

Fig. 2. Data colouring process.

Fig. 3. Data Colouring enabled Digital Identity Ecosystem Process.

Cybersecurity best practices on "Security Hygiene." These are basic best
practices and should include the following-
● frequently patching and installation of software updates on systems
● up to date malware and antivirus databases protection and only open
necessary firewall ports.
At the beginning of the Pandemic, we saw how national
Governments would have played into the hands of malicious users just
from not following basic Cyber hygiene. For example, in Nigeria a vir­
tual FEC meeting was held using systems with an older Windows OS that
was no longer supported; this mistake may have been costly and would
have been a different story should a malicious user had exploited it to
gain access and pretended to be one of the participating Government
officers.
Timely response - as with all security and especially in the

7
M.-J. Sule et al.
Cyberspace, proper and immediate defence response against threats is
the most effective form of cybersecurity as there would always be these
threats. If threats and attacks are not tackled in the minimal time
possible it gives the attackers more time to poke around and steal sen­
sitive data. Organisations need to carry out more security monitoring of
their systems, probe the defences of your systems to identify its vul­
nerabilities and where systems have not been properly configured for
defence, prioritize security solutions based on severity of the specific
risk to the organization.
Monitoring and Management - Cybersecurity is rarely about the
"newest" security control; it’s just as simple as making sure that the
systems are placed rightly, and proper procedures are adhered to in the
management processes. Security monitoring is no rocket science, it is
basic, practical and the most effective form of security is to spot obvious
symptoms of an anomaly.
A vital aspect of the job of a Chief Information Security Officer
(CISO) rests continuously on enforcement and re-training the users on
cyber awareness. Keeping the Digital Identity Management platform
secure need not be complicated and sure does require a lot of efforts,
teamwork and using the right technology.
6.3.3. End-user awareness
In a Digital Identity Ecosystem, the end-user’s security is as impor­
tant as that of the service provider. It can be argued that the end-user
(human error) is the weakest link in a secure identity system.
With remote working and learning the use of Digital Identity is more
pronounced now, even though consciously or not we have always used a
form of Digital Identity each time we access any service online or install
an app. It ranges from the use of biometric, passwords, PINs, smart de­
vices or security tokens.
The author in [12] says "information in cyberspace can be grouped into
two categories: digital attributes and digital activities", no doubt with this
information readily available, a hacker can identify the target. Digital
attributes include biometrics, date of birth, medical history, identifica­
tion number, bank details among others, Digital Activities include pur­
chase history, forum posts, photos on facebook, etc.
Just like with technology, Personal Cybersecurity are basic protec­
tive measures that include adhering to the following:
● Use a different password from other online services that are not
connected to your Digital Identity, it may be difficult to start but a
good practice. In the event your password is compromised on a
particular service, only that service may be affected as opposed to
compromising your Digital Identity and features thereby being more
disastrous and costly - this can even be psychologically not only
financially.
● Make sure you create strong passwords with a combination of letters
(small and CAPITAL), symbols and numbers. Most sites now make it
compulsory for users to use these combinations.
● Do not send passwords electronically and if you must, change it
immediately.
● Another very common but yet effective way an attacker operates is
through the use of phishing mails. A supposedly email that looks
legitimate but instead it’s an attempt to get personal information
from the person,
● Always where possible use a two-factor authentication
● Do not expose yourself unnecessarily to open public WiFi networks,
we don’t have a lot of them around in Nigeria but be careful wher­
ever you use them.
● Never access uncertified or unsecure websites as much as possible
and never under any circumstances do you provide your attributes
on an unsecure website or system.
● A stranger is a stranger, treat them as that, never supply information
or allow them access to your phone. Be very careful what you
communicate with them, never fall for the social engineering tricks.
8
Technology in Society 67 (2021) 101734
By any measure, the problem of data loss or theft due to breaches has
reached crisis proportions, for every cybercriminal’s gain, it is a great
loss to a law-abiding citizen. Aside from individual national and per­
sonal losses, it was estimated that the world economy had lost up to 2
trillion dollars by 2019 [35].
7. Conclusion: way forward for Nigeria, Work to do
Most especially at this Covid-19 Pandemic, the world and govern­
ments have seen the urgent need to deploy a secure robust Digital
Identity system that allows citizens to have more control over the in­
formation disclosed.
The use of a secure and robust digital identification system that is
capable of protecting privacy is an essential, reliable and user-friendly
element for a strong cyber resilience strategy and is a source of new
business opportunities and applications for banks, private sector with a
return on their investment.
In the words of Avril Haines (the White House Deputy National Se­
curity Advisor) “the effective domestic coordination of cybersecurity
and Digital Identity could take years.” Cybersecurity starts and stops at
the desk of the National Security Adviser (NSA) as mandated in Section
41 (b) of the Cybercrime (Prohibition, Prevention, etc) Act, 2015. By the
nature of things, it is not easily visible what is happening in the office of
the NSA.
This paper has reviewed occurrences of cybersecurity problems and
Digital Identity deployment in some countries and one would say these
are serious and developed economies and if the green tree catches fire,
heaven have mercy when it comes to the dry tree. The task ahead re­
quires collaboration and accountability in all spheres among policy
makers and professional operators. Collaboration among Nations and
partners too is equally vital and mutual trust requires trustworthy
stakeholders at all levels. Building the Digital Identity infrastructure to
include Data Colouring capabilities can enhance trust and security. This
paper further provides a first of its kind application of Data Colouring in
Digital Identity Ecosystem.
As outlined, in this paper, the march towards Digital Identity is well
underway therefore, focus should be on both adoption and adaption of
the new structures and regulations. These are needed to govern the
associated services and transactions as well as establishing laws that
enforce penalties for violations.
Finally, with regard to the future of Digital Identity, there is a need
for substantial dialogue between citizens, policy makers, lawyers and
technical experts in evaluating the systems in place, the technical claims
made for them and new designs.
Credit author statement
Mary-Jane Sule: Conceptualization, Methodology, Investigation,
Writing – original draft, Visualization, Project administration, Resources
Marco Zennaro: Supervision, Resources, Writing – review & editing
Godwin Thomas: Writing – review & editing, Visualization, Formal
analysis, Resources.
References
[1] Jason Shelby 2018, Cyber Security Trends Driven by Digital Identity Protection,
May 2018.
[2] NIST, An introduction to computer security: the NIST handbook - handbook.pdf
[Online]. Available, http://www.davidsalomon.name/CompSec/auxiliary/han
dbook.pdf. (Accessed 4 March 2016).
[3] DIGIDENTITY, About digidentity, Available: https://www.digidentity.eu/en/h
ome/. (Accessed 17 August 2020).
[4] Irving Wladawsky-Berger, Digital Identity: the Key to Privacy and Security in the
Digital World, 2016. September 2016 Accessed11th August 2020 from, http://ide.
mit.edu/news-blog/blog/digital-identity-key-privacy-and-security-digital-world.
[5] Naveen Goud, British supercomputer ARCHER hit by a cyber attack, Available: htt
ps://www.cybersecurity-insiders.com/britishsupercomputer-archer-hit-by-a-cybe
r-attack/. (Accessed 15 August 2020).
M.-J. Sule et al.
[6] Laurie Clarke, Cyber attack knocks UK research supercomputer ARCHER out of
action indefinitely, Available: https://tech.newstatesman.com/security/arch
er-supercomputer-cyber-attack. (Accessed 15 August 2020).
[7] Zachary Cohen, Luke McGee, Alex Marquardt, U.K. ", US and Canada allege Russian
cyberattacks on Covid-19 research centers, Available: https://edition.cnn.com/202
0/07/16/politics/russia-cyberattack-covid-vaccine-research/index.html.
(Accessed 15 August 2020).
[8] BBC News, Australia cyber attacks: PM Morrison warns of ’sophisticated’ state
hack, Available: https://www.bbc.com/news/world-australia46096768. (Accessed
15 August 2020).
[9] Darío Rodríguez, Carolina Busco, Rodrigo Flores, Information technology within
society’s evolution", Technol. Soc. 40 (2015) 64–72, https://doi.org/10.1016/j.
techsoc.2014.08.006. ISSN 0160-791X, https://www.sciencedirect.com/science/
article/pii/S0160791X14000529.
[10] Thales, Digital Identity trends – 5 forces that are shaping 2020, Available: htt
ps://www.thalesgroup.com/en/markets/digital-identity-andsecurity/govern
ment/identity/digital-identity-services/trends. (Accessed 17 August 2020).
[11] UNSDG, Universal values principle two: leave No one behind, Available: https
://unsdg.un.org/2030-agenda/universal-values/leave-noone-behind. (Accessed 14
August 2020).
[12] Tecnova "personal cybersecurity and digital identity: how to protect it?, Available:
https://www.tecnova.cl/2020/02/17/personal-cybersecurityand-digital-identit
y-how-to-protect-it/?lang=en. (Accessed 16 September 2020).
[13] Thales, Legal identity, a fundamental human right, Available: https://www.thal
esgroup.com/en/markets/digital-identity-andsecurity/government/inspired/legal
-identity. (Accessed 17 August 2020).
[14] ISO, ISO/IEC 24760-1:2019(en) IT Security and Privacy — a framework for
identity management — Part 1: terminology and concepts [Online]. Available: htt
ps://www.iso.org/obp/ui/#iso:std:iso-iec:24760:-1:ed-2:v1:en. (Accessed 11
August 2020).
[15] UNICEF, “UNICEF Nigeria”, Retrieved 1st May 2020 from, https://www.unicef.or
g/nigeria/education.
[16] Jason Hutchinson, Joel Bellman, Steve Hurst, The digital citizen Improving end-to-
end public service delivery via a unique Digital Identity, Available: https://www2.
deloitte.com/us/en/insights/industry/public-sector/government-trends/2020/
government-digital-identity.html. (Accessed 15 August 2020).
[17] DIGITAL.GOVT.NZ, NZ’s digital transformation, Available: https://www.digital.
govt.nz/digital-government/digital-transformation/nz-digitaltransformation/.
(Accessed 22 September 2020).
[18] GOV.UK, Government digital service, Available: https://gds.blog.gov.uk/2019/
03/25/the-future-of-digital-identity/. (Accessed 17 August 2020).
[19] GOV.UK, GOV.UK Verify overview, Available: https://www.gov.uk/government
/publications/introducing-govuk-verify/introducing-govukverify. (Accessed 17
August 2020).
Technology in Society 67 (2021) 101734
[20] Britannica, "ecosystem, Available: https://www.britannica.com/science/Ecosys
tem. (Accessed 11 September 2020).
[21] Australian Government Digital Transformation Agency, Digital identity ecosystem.
https://www.dta.gov.au/our-projects/digitalidentity/digital-identity-Ecosystem.
(Accessed 10 September 2020).
[22] Pam Dixon, Digital identity ecosystems, Available: https://www.worldprivacyfo
rum.org/2019/02/digital-identity-Ecosystems/. (Accessed 11 September 2020).
[23] World Bank Blogs, Harnessing the power of digital ID, Available: https://blogs.
worldbank.org/voices/harnessing-power-digital-id. (Accessed 10 September
2020).
[24] Ministero dell’Interno, Carta di identita ELETTRONICA - descrizione. https
://www.cartaidentita.interno.gov.it/descrizione/. (Accessed 27 July 2021).
[25] Agency for Digital Italy, SPID public digital identity system. https://www.spid.gov.
it/?lang=en-001. (Accessed 27 July 2021).
[26] Philip Brey, The strategic role of technology in a good society, Technol. Soc. 52
(2018) 39–45, https://doi.org/10.1016/j.techsoc.2017.02.002. ISSN 0160-791X,
https://www.sciencedirect.com/science/article/pii/S0160791X1630149X.
[27] TheGuardian "NIMC explains reasons behind new Digital Identity Ecosystem,
Available: https://guardian.ng/business-services/nimc-explainsreasons-behind-ne
w-digital-identity-Ecosystem/. (Accessed 16 September 2020).
[28] Thales "national ID cards: 2016 -2020 facts and trends, Available: https://www.tha
lesgroup.com/en/markets/digital-identity-andsecurity/government/identity/
2016-national-id-card-trends. (Accessed 13 September 2020).
[29] Sabina Lissitsa, Effects of digital use on trust in political institutions among ethnic
minority and hegemonic group – a case study, Technol. Soc. 66 (2021), 101633,
https://doi.org/10.1016/j.techsoc.2021.101633. ISSN 0160-791X, https://www.
sciencedirect.com/science/article/pii/S0160791X21001081.
[30] Europe Commission, Digital identity and trust: Commission launches public
consultation on the eIDAS Regulation, Available: https://ec.europa.eu/digital-sin
gle-market/en/news/digital-identity-and-trust-commission-launches-public-consu
ltation-eidas-regulation. (Accessed 22 September 2020).
[31] Grace mutungu "digital identities: issues and cases, Available: https://www.diplo
macy.edu/blog/digital-identities-issues-and-cases. (Accessed 11 September 2020).
[32] M. Sule, M. Li, G.A. Taylor, S. Furber, Deploying trusted cloud computing for data
intensive power system applications”, 50th Golden Int. Universities Power Eng
Conf. (UPEC 2015) (Sept 2015) 1–4.
[33] K. Hwang, D. Li, Trusted cloud computing with secure resources and data coloring,
IEEE Internet Comput. 14 (5) (Sep. 2010) 14–22.
[34] Y.-C. Liu, Y.-T. Ma, H.-S. Zhang, D.-Y. Li, G.-S. Chen, A method for trust
management in cloud computing: data coloring by cloud watermarking, Int. J.
Autom. Comput. 8 (3) (Aug. 2011) 280–285.
[35] S. Morgan, Cyber Crime Costs Projected to Reach $2 Trillion by, 2019. Available:
https://www.forbes.
com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach
-2-trillion-by-2019/#554e45a53a91. (Accessed 22 September 2020).