Bhutan’s National Digital Identity (NDI) system is designed on the principles of self-sovereign identity (SSI), which provides an absolute control over personal information, in the hands of the users, thus setting a new benchmark for digital privacy and security worldwide.
“In the Bhutan NDI ecosystem, where the user is at the center of all digital interactions, we have ensured that individuals do not have to disclose unnecessary personal information during transactions, thus safeguarding their privacy,” explained Pallavi Sharma, leading marketing and communications at NDI.
The Bhutan NDI wallet operates on a decentralized platform, emphasizing user consent and minimal data exchange. “Our verification process ensures that individuals only share the information required for a specific transaction. This prevents unnecessary disclosure of personal details, setting a standard for digital interactions that prioritize user privacy,” said Pallavi.
She added that unlike the OTP-based authentication process where your telecommunication provider knows exactly which organization (e.g., bank, insurance company, RSTA, etc.) is verifying you, Bhutan NDI’s authentication and verification keeps the user at the center of all digital interactions, allowing individuals to share a previously issued verified credential (e.g., phone number) with a verifier (e.g., bank) without the issuer (e.g., TashiCell) knowing which service provider the user is interacting with.
One of the key features of the Bhutan NDI is its stringent approach to data collection. Unlike many digital identity systems, Bhutan NDI does not collect or store any user information.
“We act as facilitators, enabling digital transactions without compromising user data. The information shared during onboarding is used solely for verification and is not stored on our platform,” assured Pallavi.
To prevent any unauthorized access and misuse, the Bhutan NDI has implemented robust security measures. Users’ private keys are generated through facial biometrics, ensuring that only verified individuals can access the system. Additionally, a trust registry includes authorized institutions, preventing unauthorized entities from accessing users’ digital identity information.
“Our blockchain-based architecture ensures that data breaches and cyberattacks are nearly impossible. The decentralized identifiers (DID) used in our system maintain user anonymity while providing necessary verification,” explained Pallavi.
Regarding accountability, the NDI Act of 2023 has established legal consequences for breaches. “We have provisions to hold the NDI administrative body and the NDI company accountable for any significant attacks or breaches in the system. However, users must also take responsibility for safeguarding their personal Bhutan NDI wallets,” said Pallavi.
Upon asking about what safeguarding measures are in place to prevent misuse of NDI data by government agencies for surveillance purposes, Pallavi said that, since NDI is built on a blockchain, only the Decentralised Identifier (DID) goes into the blockchain and cannot be traced back to a specific person. This will provide the required verification while maintaining user privacy.
Likewise, the NDI Act 2023 has legitimized the NDI ecosystem, and there are regulations in place to ensure that there is no authorized access to data or personal information, even by government bodies or agencies.
The NDI Act of 2023 has numerous provisions to safeguard people’s digital identities in the event of security lapses or other mistakes. If there is a severe attack or breach on the NDI ecosystem and the NDI administrative body fails to notify the ecosystem’s participants, users, issuers, verifiers, and governance bodies within a given deadline, they will be held accountable. However, if an attack occurs on a person’s edge wallet or device as a result of negligence, such as sharing their pin with others or failing to notify the NDI business of a lost device, the person will be responsible for any breaches on their own Bhutan NDI wallet.
This groundbreaking initiative has not only elevated Bhutan’s status in the digital realm, but has also set a global precedent for privacy-focused digital identity systems.