Let’s Get Digital? Policy Options for Ethiopia’s ID System

16 min readDec 12, 2020

To the Prime Minister’s Office

Ethiopia’s community-managed Kebele ID system enjoys wide coverage but does not provide the desired functionalities of a foundational ID. Against this background, Ethiopia’s digital strategy states:

“While there is consensus on the value of national ID, there is a heated debate on the risks and values of a national digital ID.” [1, emphasis added]

The Prime Minister recently charged the Ministry of Peace with developing a national ID strategy which since then launched a pilot for a digital ID in Addis Abeba – the details of which, however, appear not to be public.

This memo contributes to the debate on a digital ID for Ethiopia. It starts with a review of the ID system in Ethiopia to pinpoint reform priorities, then decomposes the identification system into a technology stack, and derives the criteria for digital ID policy evaluation in Ethiopia. Based on this analysis, it identifies and assesses three options for Ethiopia’s ID system to “go digital”, concluding that the existing Tax Identification Number should be modified and expanded to serve as a national foundational ID. It ends with concrete steps for implementation.

Status Quo — Limitations of the Kebele ID System

Ethiopia currently has no national ID. In 2012, the Ethiopian government passed Proclamation №760/2012 which set the legal framework for enrolling all Ethiopians over the age of 17 into a national database and issuing them a national ID card [2]. Implementation was originally scheduled for 2016 but the new agency responsible for it has yet to be constituted. The Government’s digital strategy from 2020 concedes that “initiatives to issue a unique ID in Ethiopia are either nascent or have struggled to succeed so far” [1]. Ethiopia’s civil registry, the Vital Events Registration Agency (VERA), has been recording vital events only since 2016 [3].

The community-managed Kebele ID Card serves as a de facto foundational ID. Kebeles are Ethiopia’s lowest level of administrative units, introduced originally by the Derg regime as a form of local self-government. Each Kebele has its own Kebele office, serving typically between 5,000– 12,000 residents [3]. Every Kebele resident of 18 years or older is eligible to apply for a Kebele ID Card with their local office. The registration process varies from Kebele to Kebele but typically a wide range of evidence is accepted for identification, including birth, vaccination, and school certificates as well as personal knowledge of the applicant [3]. (Birth certificates are also issued by Kebeles themselves and require the testimony of three people.) Similarly, the appearance of the card varies but includes a standardized set of information as well as a photo of the holder [4]. Records of Kebele ID Cards are exclusively kept on paper at Kebele office facilities. Kebele ID cards are not free but relatively cheap in most Kebeles (typically between Br 10–40 to recover costs) and are required for a wide range of activities, including registering a SIM, traveling internally, and opening an account with a microfinance institution, and voting [3]. They also serve as a foundation on which functional IDs, used for a particular purpose or program, can be built [5]. For example, obtaining a tax identification card, driver’s license, and passport requires a Kebele ID. Therefore, while no official figures for coverage exist, the World Bank estimates that between 80% and 95% of Ethiopians have a Kebele ID card [3,6].

Kebele Cards fail to achieve the desired functionalities of a foundational ID. The basic roles of ID systems are to

uniquely identify individuals (“Who are you?),
provide a method of authentication that an individual who claims an identity is the true owner of that identity (“Are you who you claim to be?”), and
determine whether an individual is authorized for something (“Are you eligible for a service?”) [7].

Foundational IDs may be used for authorization (point 3 above), but their primary role is to provide a definitive source of basic identity information and credentials that allow people to authenticate their identities to others (points 1 and 2) [7]. However, the current system, based on Kebele ID cards, does not fulfill these roles:

Individuals can lose their (legal) identities. Kebele Identity records are stored decentrally on paper with no aggregated backups in a centralized repository or database. This makes them vulnerable to damage or destruction during natural disasters or conflict. The ongoing ethnic conflicts in Ethiopia as well as the experience of conflict-related destruction of registers in the DRC, Cote d’Ivoire, and Rwanda demonstrate that this is a realistic scenario and serious concern [6].

Kebele ID records. Source: ID4D 2016 [3]

Identities are bound locally. Individuals moving to a different Kebele are in principle required to return their ID card to the original Kebele in exchange for a reference letter that allows them to obtain a new Kebele ID Card at their new residence [3]. Consequently, Kebele identities are not continuous over time which can create difficulties for third parties relying on them to trace individuals. The process of returning one’s old ID for obtaining a new one is also not user-friendly and adding a burden on citizens with increasing internal migration.
Identities are not unique. The wide range of documents that are accepted for new registrations, the lack of a central registry, and the administrative burden of returning an old Kebele ID Card when moving, led to reportedly many Ethiopians having more than one Kebele ID card (i.e., Kebele ID cards are not deduplicated) [3]. Individuals maintaining several Kebele IDs identities pose problems for third parties that use Kebele IDs for authorizing the receipt of services or benefits. It also invites election fraud and prevents financial institutions from establishing a unique credit history, creating a barrier to financial inclusion [3].
Third parties cannot easily authenticate Kebele ID cards and individuals. Kebele ID cards are easily forged or altered, and forgery of Kebele Card is one of the most common kinds of fraud in Ethiopia [8]. This means that third parties (other government ministries, banks, etc.) cannot without doubt establish that a Kebele ID card (i) is genuine and matches the information provided at registration — “does this identity exist?” (credential authentication), and (ii) an individual is the person they claim to be using the ID card —” is this your identity?” (individual authentication). This problem led to the emergence of an inefficient ID ecosystem in Ethiopia, where third parties develop their own identification systems for their specific purposes. Most notably, the Revenue Authority introduced a Tax Identification Number (TIN) which is deduplicated using two fingerprints. Similarly, the Productive Safety Nets Program (PSNP) relies on its own paper-based identity card [3]. These identity “silos” are not only costly for providers but also to citizens, who need to identify themselves anew for each of these providers. Further, the coverage of these functional IDs remains small (only 2% of the population held a TIN, and 1.6% a PSNP ID in 2016) and their use is limited to their specific domain [3]. For services where no functional IDs exist, individuals need to go through an identification process every time they want to access a service [1].

The limitations of the Kebele ID and the limited scope of functional IDs underpin the need for a robust centralized foundational ID system. The extent to which digital elements can address current limitations in an overhauled ID system will be discussed next.

Getting Digital Right — Evaluation Criteria and the ID Technology Stack

Ethiopia’s national ID strategy needs to be technically correct, politically supportable, and administratively feasible. Based on the review of the current Kebele ID system and the experiences of other countries [6], Ethiopia’s national ID strategy, regardless of the extent to which it is digital, should be evaluated on the following criteria.

Ethiopia’s national identification system could be digital in different dimensions. Whether Ethiopia’s identification system is digital or not is not a binary question. Instead, different layers of the “identification technology stack” could be digital. To facilitate the subsequent policy analysis, it is helpful to break down the technology stack into the following layers:

Identity definition — what attributes make an individual unique? E.g., biographic data and biometric features or digital traces?
Data storage — where are identity records stored? E.g., in a paper-based register or electronic database?
Identity management — how are identities registered, updated, or deleted? E.g., through in-person visits or online applications?
Credentials — what credentials are individuals provided for their recorded identities? E.g., physical cards or mobile IDs?
Credential authentication — how are credentials verified to be genuine and match stored records? E.g., by inspecting the security features on an IDcard or querying a database?
Individual authentication — how are individuals verified to be the owner of a credential? E.g., by examining the facial image on card or matching fingerprints to data stored on a smart card?

“Identification technology stack” (author’s illustration)

To illustrate, in the current Kebele ID system, biographic data (name, age, address, etc.) and the biometric features visible from facial images make individual unique (1). The identities are stored on paper in Kebele offices (2) and new identities are added through applications at local Kebele offices (3). Citizens receive a Kebele ID card with a facial image as credential (4) and individuals and credentials are verified through visual inspection of the Kebele ID cards (5 and 6). None of these layers are currently digital. The important takeaway from this framework is that some of these layers could be digital while others are not. In particular, while there are some interdependencies, physical layers can often be stacked on digital layers.

Three Opportunities to Go Digital

Based on this framework of the identification stack and existing identification landscape in Ethiopia, three policy options emerge: Option 1 improves the Kebele ID system by introducing a central digital database for the existing paper-based ID cards issued by local Kebele offices. Option 2 rebuilds the existing TIN card into a foundational ID where digital biometrics captured at registration are used for deduplication, but everyday authentication remains physical. Option 3 launches a new, wholly digital ID system that also enables digital authentication. The three options differ both in the extent to which they are digital and in their institutional setup.

Option 1 — A digital backend for Kebele IDs

In this option, the Vital Events Registration Agency (VERA) sends Kebele offices an empty Kebele ID card template with unique identification numbers pre-printed on them. (Currently, Kebele offices individually order their paper cards from local printers [3].) When a citizen registers (or renews their card), the Kebele office fills out the card, attaches a picture, and hands it out to the citizen as in the current system. Instead of maintaining a copy of the ID locally, however, the Kebele office sends it back to VERA, where the record is entered into a digital database (Kebele offices already send birth and death certificates to VERA since 2016 [3]). The database can be hosted on Ethiopia’s soon to be inaugurated national data center for government entities and, in principle, be queried by third parties through APIs. In this system, only layer 2 and for some third parties, layer 5 of the technology stack are digital.

The advantage of this system is that it creates a secure back up of identities in case local records are lost or destroyed. The standardization of paper-based ID cards also makes forgery and alteration more difficult (albeit only marginally) as people know what a correct Kebele ID should look like. Institutions with high levels of connectivity (e.g., government agencies) can verify that the information on the Kebele ID is the information that was initially registered by querying the central database (credential authentication). Since the system is maintaining the highly federated structure, where Kebele IDs are managed locally and only records are kept centrally, it likely also has the support of Ethiopia’s politically influential state governments. The system builds on the existing capacity of Kebele offices and VERA (although maintaining a database is an extension to their capabilities) and Kebele IDs generally already enjoy a wide acceptance in local economies despite their numerous limitations.

The biggest drawback of the policy proposal is that it still does not prevent citizens from having multiple IDs (and deduplication is not possible with the data collected at registration), so it would still not be able to serve as an acceptable form of identification for many institutions. Tightening the criteria for evidence at registration may prevent multiple IDs but also exclude eligible citizens in a context where the civil registry system is still nascent. Further, while connected institutions can authenticate the credential by backchecking it against the national database, for verifying that individuals present their own ID card (individual authentication), they still must rely on visual inspection of the photograph. The successful implementation also relies on the uniform compliance of Kebele offices with the new policy which is not guaranteed given their strong autonomy in the current system. The central storage of data may also raise security and privacy concerns – the new data center has not yet been stress-tested and Ethiopia currently does not have a data privacy law in place.

Option 2 — Rebuild TIN cards into a foundational ID

This proposal suggests modifying and expanding access to the existing Tax Identification Numbers (TIN) and associated cards, issued by the Ethiopia Revenue and Customs Authority (ERCA). In principle, every Ethiopian earning a taxable income on a business or rental property is required to get a TIN and pay taxes. TINs are also required to open bank accounts (at formal banks, not microfinance institutions), participate in public loan programs, and generally for public employees [3]. It is the only functional ID in Ethiopia which is deduplicated using the biometric information from two fingerprints [3]. Biometric information is stored centrally — the plastic ID cards themselves, however, do not contain any biometric information (other than a facial image) or any other digital information. Citizens can apply for them at ERCA branched in “subcities” (administrative division below the national and state level[8]). The TIN was introduced in 2009, and in 2016, coverage was still low with 2.2 million Ethiopians holding a TIN [3]. This policy option would ease access to the TINs by setting up additional registration offices and mobile registration units for citizens in remote areas [9]. With increased coverage, TIN cards could start serving as foundational ID for a wider range of services (as they already do for banks). There are precedents for repurposing a functional ID into a foundational ID from other countries (e.g., India’s Aadhar system was originally a functional ID for service provision by the government [10]).

Example TIN card. Source: Tripadvisor.com

The primary advantage of this option is that it provides unique identities (as individuals attempting to apply for a second ID can be identified by matching biometrics). Note, that deduplication at registration does not necessarily require the registry stations to be connected to the internet (currently, fingerprints for TINs are also collected on paper and only later digitized). The issued plastic cards are more expensive than the current paper-based cards but since they do not contain any digital information (barcodes, magstripes, chips), they are still relatively cheap (<$1 per card [7], which is <$109 million if every Ethiopian registered, or 0.8% of an annual budget). Such a deduplicated system represents if not “best” at least “good practice” and is thus also more likely to get support from international organizations like the World Bank. Administratively, the system could build on the capacity and experience ERCA has gained over the last 11 years and the strong institutional motivation of the organization and federal states to increase registration and thus the tax base. The plastic card would be much harder to forge or alter, and as with option 1, connected institutions could authenticate them by querying a central database.

The disadvantage of the system is that the registration process is currently geared towards high- and middle-income groups in the society (those with taxable incomes) and may thus, despite efforts, not be easily made accessible to poor or marginalized groups. Also, the fact that the card can typically not be issued instantaneously but has to be collected at a later point creates the additional challenge of ensuring that each card reaches the correct person. Promoting TIN cards may cause institutions that previously accepted Kebele cards to shift to exclusively accepting TIN cards and thus effectively excluding the poor from services. Further, as cards do not store any biometric information, third parties will still have to rely on visual inspection of pictures to establish individual authenticity. Signing up for a card whose title suggests that its primary focus is taxation may also not be appealing to citizens. Finally, since a persons’ biometric information cannot be changed if data is breached, their centralized storage may create bigger security and privacy concerns.

Option 3 — A new, fully digital ID card

In option 3, a new agency would be created (as originally envisioned in Proclamation №760/2012) that enrolls citizens into a national database capturing their biometric information (fingerprints). Citizens would then be issued ID cards with QR codes that store their encrypted biometric information.

The system would in many ways be similar to option 2 (central database and deduplication using biometrics) but would have the additional functionality that third parties can digitally verify the authenticity of individuals offline. More precisely, third parties equipped with a finger scanner and a decryption app installed on a mobile phone can match the biometric information of the individual to the information stored on in the QR code. In this system, therefore, also layer 6 of the “ID technology stack” is digital, providing higher a level of assurance. A new agency would also be unhindered by legacy systems and able to build an inclusive, user-centric system from the ground up.

The disadvantage of this option is that fingerprints need a densely printed QR code, and scratches to the card can make the code unreadable [7]. This is especially problematic in a context where citizens rely on their identification for acquiring crucial social services, and false negatives have a high human cost. The printing of the QR code would also make cards more expensive (albeit marginally), and the system with scanners and a custom app is generally less commodified, likely increasing costs. At the same time, few third parties require a level of assurance that goes beyond the visual inspection and matching of facial images on the card. The QR code on the card can also easily be copied and replicated, creating an additional security risk [7]. Other, more secure options, such as cards with chips (“smartcards”) or direct matching with a central database as in the Indian Aadhaar system are either too expensive or require too much connectivity for the Ethiopian context. Institutionally, the creation of a new agency may also come with challenges — while it is unclear why the agency envisioned in Proclamation №760/2012 has not yet been constituted, the lag suggests institutional barriers exist.

The Way Forward and Implementation Considerations

Overall, option 2 seems the most promising. Option 1 does not address the fundamental problem of non-uniqueness and option 3 provides more functionality than is currently needed by most users while also being more expensive. Also, note since the biometric information is stored at registration in option 2, it is possible to eventually move to a system that stores biometric information on cards for digital authentication (option 3) should Ethiopia’s identity needs evolve more quickly than currently anticipated. Finally, many of the concerns regarding option 2 can at least partly addressed through thoughtful implementation.

In particular, the government should:

Pass a privacy law that regulates who and under what circumstances is allowed to access the national database with identity information. Having privacy legislation in place before the system is implemented will be crucial to building trust and thus fostering adoption.
Make the national ID system a line item in the annual budget. This will help to ensure that financial support is sustainable and that ID cards can be offered to citizens at no higher cost than Kebele cards. Digital identification is also a ‘hot’ donor topic, so the government should actively ask for support from bilateral and international donors (as sucessfully done in the past).
Remove ethnicity information from the ID card. Recent news reports from Tigray suggest that the ethnicity information on Kebele ID Cards has been exploited for ethnic-based violence. While Ethiopia’s regional borders were originally drawn around ethnic groups, access to services or offices is nominally independent of ethnicity and therefore not essential information for a foundational ID system.
In the procurement of ID system components, define the functionalities that need to be achieved (rather than describing the product details) and, to the extent possible, require any technology to be developed using open-source software to promote trust and prevent vendor lock-in. Also ask for samples or prototypes in the selection process.
Improve the registration and authentication process in iterative pilots. Before launching the system nation-wide, test it on a small-scale to evaluate underlying assumptions and whether it effectively addresses user pains. Do citizens find it convenient to enroll? Are fingerprints sufficient or do we need iris scans for deduplication? Are third parties finding ID cards easy to authenticate? In this iterative design process, also actively seek input from the private sector and civil society organizations in public consultations.
Set up a robust grievance redress mechanism through which individuals can file complaints (in person, text, or via call) about the identification system. Given the high cost of authentication errors in the context of extreme poverty, the efficient resolution of complaints should be prioritized over rapid expansion.
Combine the launch of the ID system with a public communications campaign. The campaign should inform the public about registration opportunities, address security and privacy concerns, and motivate adoption. This might entail a rebranding the TIN card so that it is associated less with taxation and more with service provision.
Mandate a long transition period between Kebele IDs and the new national ID. Rolling out the new TIN ID to whole Ethiopia will take time, and in this transition period, Kebele IDs should be accepted alongside the new TIN cards. Although this will decrease the incentive to register for the new ID, phasing out the Kebele ID only once the new ID has attained sufficient scale minimizes the risk of inadvertently setting up new barriers to identification.