Mexico’s World Bank-Funded Mandatory Biometric Database Raises Serious Ethical and Legal Questions

This is Naked Capitalism fundraising week. 1270 donors have already invested in our efforts to combat corruption and predatory conduct, particularly in the financial realm. Please join us and participate via our donation page, which shows how to give via check, credit card, debit card, or PayPal. Read about why we’re doing this fundraiser, what we’ve accomplished in the last year, and our current goal, more original reporting.

Mexico’s government wants the biometrics of all its citizens. Given the fragility of its institutions and organized crime’s infiltration of both government and law enforcement, this is a major cause for concern.  

Mexico has a serious problem with identity theft. Last year, the country ranked eighth worldwide in terms of the incidence of the crime, according to data from the country’s central bank, Bank of Mexico. Since then the scale of the problem has done nothing but grow, as huge amounts of work, leisure and consumption have migrated online.

A cybersecurity study conducted by Citrix found that 60% of the Mexican companies it consulted had suffered some form of cyber attack since the start of the pandemic, including identity theft and ransomware. Mexico is also one of the countries most frequently targeted by Trickbot, a Trojan horse whose main function is the theft of banking details and other credentials, according to a recent report by the newspaper Milenio.

Against this backdrop Mexico’s Lopez Obrador government is seeking to pass a draft law that will create a “Unique Digital Identity Card,” or CUID. If the law is passed, digital identity will become mandatory for all Mexican citizens and foreigners living on Mexican soil. All the information, including each user’s biometric data, will be stored on a centralised database. The proposed law was already passed by Mexico’s lower chamber in December 2020 and is now awaiting passage in the Senate.

World Bank Funding

The biometric ID card project is being funded by the World Bank, an organisation that is driving digital ID adoption around the world, particularly in the Global South. The bank is pushing digital ID in poorer countries with the ostensible goal of providing legal identity to the 1.1 billion people, mainly in Asia and Africa, who do not currently have one. 

But the program is mired in controversy. After the recent exodus of U.S.-allied forces from Afghanistan, it was discovered that many of the World Bank-funded data troves left behind had fallen into the hands of the Taliban, and could be used to track down people who had aided the occupation forces. That data included some half a million records, including biometric identifiers, on every member of the Afghan National Army and Afghan National Police, reported MIT Technology Review:

The data is collected “from the day they enlisted,” says one individual who worked on the system, and remains in the system forever, whether or not someone remains actively in service. Records could be updated, he added, but he was not aware of any deletion or data retention policy—not even in contingency situations, such as a Taliban takeover.
A presentation on the police recruitment process from NATO’s Combined Security Training Command–Afghanistan shows that just one of the application forms alone collected 36 data points. Our sources say that each profile in APPS holds at least 40 data fields.
These include obvious personal information such as name, date, and place of birth, as well as a unique ID number that connects each profile to a biometric profile kept by the Afghan Ministry of Interior.
But it also contains details on the individuals’ military specialty and career trajectory, as well as sensitive relational data such as the names of their father, uncles, and grandfathers, as well as the names of the two tribal elders per recruit who served as guarantors for their enlistment. This turns what was a simple digital catalogue into something far more dangerous, according to Ranjit Singh, a postdoctoral scholar at the nonprofit research group Data & Society who studies data infrastructures and public policy. He calls it a sort of “genealogy” of “community connections” that is “putting all of these people at risk.”

Security Risks in Mexico

More than 25 national and international organisations, including Privacy International, Access Now and Red en Defensa de los Derechos Digitales (R3D), have called on Mexico’s Senate to block the CUID program’s implementation, citing security risks to civilians as well as the Mexican government’s authoritarian drift. In April, the AMLO government passed a controversial reform to the Federal Communications Law that created the National Register of Mobile Telephone Users, a centralised database containing the line number, date and time of activation for each user, their full name and biometric data, among other information.

The government claims the data is needed for its fight against organized crime. Smart phones, it says, are routinely used in many of the worst crimes committed, including kidnappings and extortion.

Roughly 75% of Mexicans have a smartphone, according to a government survey. Now, the government wants the biometric data of everyone. And that should be cause for concern. In a recent interview with Rest of World, a global nonprofit publication “covering the impact of technology beyond the Western bubble,” the Mexican digital rights activist Luis Fernando García said that the centralised nature of the proposed biometric database system would make it much easier for the government to track and control citizens:

When the government creates this one identity system, every time someone goes to a public or private service, they give the same centralized ID. Before, officials would need to go to different places to collect all the information they need. With the CUID, they would have a way to connect all of the databases. This gives the government and corporations the power to surveil, control, manipulate, and punish people.

Given the inherent weakness of Mexico’s political and legal institutions and the extent to which organised crime has infiltrated both government and law enforcement agencies, so much so that the line between organized crime and the public authorities is barely distinguishable, “a digital ID that simply provides a new surveillance tool…, enabling the tracking, surveilling and profiling at scale, is a great cause for concern,” says the London-based charity Privacy International:

Digital ID systems risk being a surveillance tool, used to track movements and activities, and linking all of a person’s activities back to a single number. This is particularly acute in Mexico, given the ongoing targeting of communities at risk including journalists, human rights defenders, and environmental activists. And, if the abuse of Aadhaar by criminals in India is anything to go by, organised crime could be looking to use this system for their own, deadly ends. In an interview with PI, a lawyer at the Mexican human rights organisation CentroProdh spoke movingly of the impact that surveillance has on human rights defenders, lawyers, and activists. The intrusion of this surveillance impacts not only the lives and work of activists, but also their families.

Data Insecurity

There is also the issue of data security to consider. Political and financial institutions in Mexico have suffered numerous breaches in recent years. In 2018, hackers pulled off an audacious $20 million heist of Mexico’s inter-bank payment system, run by the Bank of Mexico. As mentioned at the beginning of this article, Mexico ranks eighth in the world in identity theft. A centralised database of every citizen’s biometric data will be the ultimate honey pot for sophisticated cyber-criminals.

“The idea of a data breach is not a question of if, it’s a question of when,” says Prof. Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the internet: everything is hackable.

Authorities in India, South Korea and the Philippines have already suffered breaches that led to the theft of biometric ID data belonging to millions of individuals in those respective countries, says Privacy International. And when biometric data is leaked, the consequences can be catastrophic. If biometric data is hacked, there is no way of undoing the damage. There is no way of changing or cancelling your fingerprint, iris or DNA like you can change a password or cancel your credit card. The UN High Commissioner for Human Rights says that biometrics are “by definition inseparably linked to a particular person and that person’s life, and has the potential to be gravely abused.”

Another problem with biometric systems is they are far from flawless. As Wired reported in 2019, US government tests found that even top-performing facial recognition systems misidentify blacks five to 10 times more often than they do whites. In Mexico this could be a major problem given that 67% of the population self-classify their skin colour as medium tones and 20% as dark tones. 


The World Bank’s Identification for Development (ID4D) program was launched in 2014 with “catalytic contributions” from the Bill & Melinda Gates Foundation as well as the UK Government, the French Government, the Noweigan Government and the Omidyar Network. According to the World Bank Group’s website, it is a “cross-sectoral platform that creates and leverages partnerships with United Nations agencies, other donors, non-government organizations, academia, and the private sector” with the goal of “help[ing] countries realise the transformational potential of digital identification systems.”

The program is wrapped up in cosy buzz words such as digital development, social protection, gender issues and financial inclusion. But digital ID systems can also be weaponized by authorities to exclude millions of people from access to the most basic services, or even to deprive people of the legal right to remain within the respective jurisdiction.

This is precisely what happened in the Dominican Republic. As Eve Hayes de Kalaf, a research associate at University of London’s Centre for Latin American and Caribbean Studies, reported in an article for The Conversation, the Dominican government, in conjuction with World Bank programmes providing citizens with proof of their legal existence, “introduced exclusionary mechanisms that systematically blocked black Haitian-descended populations from accessing and renewing their Dominican ID”:

For years, people of Haitian ancestry born in the Dominican Republic have found themselves in a fierce battle to (re)obtain their ID. Officials claimed that for over 80 years they had erroneously provided people born to Haitian migrants with Dominican paperwork and now needed to rectify this mistake. These people say they are Dominican. They even have the paperwork to prove it. But the state doesn’t agree…
Who was deemed eligible for inclusion in the civil registry (meaning Dominican citizens) and who was excluded as foreigners (the Haitian-descended) was considered a sovereign issue for the state to address. As a result, tens of thousands of people found themselves without documentation and subsequently excluded from essential healthcare services, welfare and education…

Hayes de Kalaf lists other cases where digital ID registrations had been used for discriminatory purposes, including India’s ostracism of the Assam and Kenya’s systematic mistreatment of Somali refugees:

For people who find themselves excluded from this new digital age, daily life isn’t just difficult, it is almost impossible.
And while the need to speed up digital ID registrations is pressing, in this post-pandemic world we need to take a step back and reflect. Calls for digital COVID passports, biometric ID cards and data-sharing track-and-trace systems are facilitating the policing not only of people crossing borders but also, increasingly, of the populations living within them.
It is high time we had a serious discussion about the potential pitfalls of digital ID systems and their far-reaching, life-altering impact.

One can only hope that before voting on CUID, Mexico’s Senate gives full consideration to these potential risks. The same goes for many governments around the world, in both the Global South and Global North. 

Print Friendly, PDF & Email


  1. Synoia

    Digital Oppression – Making privacy and anonymity crimes.

    More of making 1984 a “how to” guide.

    Perhaps the only way this will end is the outcome of global warming, Civilization collapse. At that time the ability to grow food,support your local community, and defend your family and food, will y become the key skills for survival.

    I posit, as I have before, that intelligence as we humans practice, which includes a large helping of Greed, is not a long term evolutionary advantage..

    Few animals, if any, other than Humans demonstrate our high levels of greed.

  2. Brooklin Bridge

    My credit union account is at a bank that has decided this is a good cost saving approach, or perhaps simply that it glitters, and besides, what ever pops out of upper mgmts. mouth is immediately appended to the ten commandments. The degree of ego that justifies such sheer nonsense without rhyme or reason other than that the CEO said so, is stupefying and the slavish head bobbing of low level staff in the face of irrefutable facts is chilling. It’s an absolute celebration of raw ignorance.

    Needless to say I’m moving my account to another bank that isn’t quite as good as this one used to be, but which, knock on wood, is not competing with co-staff in CEO fellatio. I’m also praying this blows up in their faces before everyone (other banks) sign on. They have already sent out a letter to all “members” that to keep one’s account, one must agree to arbitration in the event of any disagreement. Hope for the industry as a whole is thin indeed. There is no bottom.

  3. An Eye for an Eye

    My company introduced biometrical entry systems for employees to the building. Total insanity. The company is selling services. There is nothing of value there. The most valuable assets were abroad as well as the staff. In the office the computers are valuable and possibly what can be found on the computers. Still nobody would be able to reproduce the success of the company without the access to assets abroad and the staff competency. I refused to get the access and was knocking on the door so that colleagues could let me in.

  4. The Rev Kev

    ‘The World Bank’s Identification for Development (ID4D) program was launched in 2014 with “catalytic contributions” from the Bill & Melinda Gates Foundation as well as the UK Government, the French Government, the Australian Government and the Omidyar Network.’

    The other organizations I can understand but what the hell is the Australian and French governments doing in this mix? Is it because France is a part of NATO and so has an input here while the Aussie government is part of the Five Eyes and so can off their services as well? Bonus points for the US as down the track when they have to deal with Mexicans crossing the border, the US can use their copy of Mexico’s biodatabase to instantly identify them and turf them back again.

      1. Nick Corbishley Post author

        It’s funny you should say that, Paradan. A new report by Privacy International suggests that the European Commission is externalising its migration/deportation policy by pushing countries that provide large inflows of migration into the EU (mainly Africa, the Middle East and non-EU member states in the Balkans) to set up biometric databases. In some cases, such as Nigeria, the EU has partnered with the World Bank in order to provide financing for the development of the digital ID systems.

    1. lordkoos

      Yes I immediately noticed the contributions of the billionaires to this effort. Whether the excuse is immigration, “national security”, or the pandemic, they are very keen to have this tracking data.

  5. Ping

    Again, as Wayne Gretsky famously said, “It’s not where the puck is but where the puck is going to be”.

    Now formally admitting (Fauci, Gates, etc,) that Covid vaccines are not effective as represented, (gosh, weren’t they the most heavily tested vaccines EVAH?), why aggressively pursue mandates, a coffin nail for Dems next election?

    It seems to me, Covid fear factor facilitates the “puck” heading toward bio-medical ID control all along. Reportedly Gates has been involved in various forms of this technology for years (quantum dot tattoo?) supposedly to track medical records of populations in underdeveloped countries….

    Obviously, the possibilities for total social control and incompetent misuse is alarming.

    1. w d w

      well part of the mandates, is so many that didnt want to get the vaccine, it wont get to herd immunity any time soon.
      its sort of like this, the alpha version of the virus, made 1000 copies of itself using the hosts , which it then spread as far as it could. but delta, is a different game all together, it make up 100,000 copies of it self, and spreads that as much as it can.
      course seems like majority of those getting the mild or bad version of covid, have had no vaccines at all. so they fill up the ICU beds at hospitals, which leads to hard choices as to what to do with those are in a wreck, heart attack, or stroke.

  6. Mantid

    My favorite quote from the article is “Welcome to the internet: everything is hackable.”
    I think we all know this, but we still carry a “smart” phone in our pocket or pouch. It is plugged directly into the “mains” of the trackers and hackers. Wow, incredible. How did we let this happen and even pay them to have us be plugged in?

  7. flora

    This renewed power grab by govts and financial authorities all around the world, thanks to weaponized, new digital tracking tech, is alarming to me. Thanks for this post.

  8. Terence Dodge

    Everything is Hackable. Next they’ll want to impose democracy on Mexico, lots of luck with that. And then they will come for our Republicans and Democrats and we know how they feel about democracy.

  9. Susan the other

    I see lots of good jobs here. A very big but decentralized agency to protect personal identities. Decentralized to the township level. Run by a group of “villagers” who know everybody. Run by the quintessential busybodies. Who’d a thunk that that would be a talent, that nosiness, for maintaining digital justice. But there’s no other way to provide protection in systems that are so vast and anonymous that you’ve already lost your “identity” when you are entered into it by codes of numbers and references. Of course that’s easy to hack. Give this agency back to the people.

Comments are closed.