Technology is neither good nor bad; nor is it neutral
-Melvin Kranzberg
Advances in technology unlock profound opportunities: to expand access, grow economies, and promote human thriving. And yet, the same technologies can deepen disparities and introduce new harms. Every implementation reflects a set of values – intentionally or unintentionally – and those manifest values will change as the political, institutional, operational contexts shift. To realize the benefits of innovation, we have a responsibility to name our values, identify the current and future risks to those values, manage trade-offs, and implement effective controls.
Last year, the United Nations Office of Digital and Emerging Technologies and UNDP published the Universal DPI Safeguards Framework. It offers a powerful foundation for the important work of mitigating the inherent risks of introducing new technologies for the public good. I applaud the ambition, the 2024 cohort, and the overall approach. And I’m delighted to have been invited to participate in the 2025 Working Group and act as its Rapporteur.
it will benefit from further iteration. In what follows, I highlight opportunities to expand the risk analysis, identify further responsible parties, and hone the principles. To maximize the impact of the Framework, partners must come together to enhance the interactive model and offer shared best practices for how to deliver on key recommendations throughout the lifecycle.
Risk Analysis:
The analysis presented encompasses major thematic areas of risk. There are two risks that I would recommend exploring in more depth:
1. Expand reference to societal risk.
2. Recognize the risk of globally splintered access and inclusion.
The risks presented in the Universal DPI Safeguards Framework encompass critically important risks to safety, inclusion, and structural vulnerabilities. However, the risk of disempowerment is framed in the context of “individual control” and “personal data.” While these remain important, it is equally important to frame a risk in more communal terms. Communities are disempowered, for example, when mass data collection and analysis (even anonymized data) leads to harms. When I first wrote about this in “Human-Centric Identity: for Government Officials,” in 2023, I highlighted examples relating to state and non-state actors leveraging mass data collection to target individuals and influence their behavior (e.g., influence elections). Since then, it has become equally relevant to discuss the implications of data harvesting by artificial intelligence engines. The Universal DPI Safeguards Framework would benefit from a clearer articulation of societal-level risks threaded to best practice legal and regulatory safeguards.
A second risk that could be more adequately addressed in the Framework is that of global splintering. In this context, I am referring to whether critical rights-enhancing infrastructures are capable of interoperating across borders – and whether barriers to global inclusion emerge when systems do not interoperate. For example, digital health or vaccination credentials that do not work when crossing a border, Refugees who cannot prove their educational background in their host country, and countless other examples. It can also, of course, refer to transnational infrastructures (like the Internet) when nations apply policies that disconnect their residents from the global community. This risk is at the heart of the Sustainable Interoperable Digital Identity (SIDI) Hub, which is building a Digital Commons for interoperable, rights-enhancing identity infrastructure, and which I co-lead with other non-profits and inter-governmental collaborators.
With these risks in place, the Framework might consider further principles and recommendations:
– Foundational Principle F6 “promote autonomy and agency” could expand to include reference to collective behavior.
– Further principles and/or recommendations could refer to legal and regulatory frameworks that define appropriate behaviors in relation to data in aggregate (including anonymized data).
– Operational Principle O9 “build and share open assets” could refer to the development and open sharing of common tools that enable cross-border interoperability and trust establishment.
Responsible Authorities
The Framework recognizes that collaboration between multiple parties and stakeholder groups is essential for delivering DPI responsibly. However, although several process recommendations promote the adoption of internationally recognized standards, the concept is buried within the Framework’s layers and is conflated, at times, with regulatory standards or Open Source Software. The role that international standards play in DPI is worthy of distinction.
I recommend highlighting this role as a “Responsible Authority” for several reasons:
1. Conformance to rigorously tested and inclusively developed (ideally “open”) international standards raises the bar for security and enables interoperability.
2. Standards are essential but themselves insufficient in preventing vendor lock-in: governments must build capacity and engage in standard-setting rather than delegating to their vendors.
3. To best serve DPI, Standards Bodies should embed recommendations about their own governance, transparency, inclusion efforts, testing, and the availability of conformance testing and accessible certification.
Clarifying language and raising the profile of standards within the framework will allow for more specific, targeted guidance about how other actors should engage with these bodies throughout the DPI lifecycle. Combined, these points suggest that there is a strong case for presenting standards bodies as a “Responsible Authority” within the framework and embedding recommendations for standard-setters.
Principles
Above, I have highlighted key areas that should translate into adjustments or additions to principles. These include the risk to society, the risk of splintered access, and the role of standards. One further principle that may help bridge this framework to practice is “Manage Trade-Offs.”
In the paper, “Human-Centric Digital Identity: for Government Officials,” I argued for a values-sensitive and human-centric design process. The values that underlie the system should be intentional; the human rights risk assessments (Principle F1) will highlight crucial areas of opportunity. However, trade-off decisions will inevitably arise as requirements are gathered and roll-out commences: for example, the value of privacy will be in tension with the value of protection or fraud prevention. Whether it is addressed at the level of Principles or Recommendations in this framework, implementers need a process for unearthing trade-offs and making intentional, values-based decisions.
Recommendations and Practices
The value of the Universal DPI Safeguards Framework will only be realized if principles and process recommendations are highly accessible and translated into usable practices. In some cases, the interactive model offers this: where a reference model exists, the Framework points to it. However, implementers and their constituents need further tools to safeguard DPI implementations:
– Best practices are still emerging in relation to how human rights relate to a given form of DPI, e.g., the Framework for Legal Digital Identity provides a robust baseline.
– There are limited tools for managing human-centric design through a period of intentional trade-off decisions.
– Certified conformance to the standards requires testing.
The recommendations and proposed practices imply that many more tools need to be developed in collaboration with partners to deliver on the safeguards. I recommend that the 2025 DPI Working Group spend ample time triaging these needs (such as those above) and developing human-centric, rights-focused tools with partners in the ecosystem.
