Publicado el , Última actualización el por Fundación Karisma

A paradigm shift in digital identity and authentication?

The identity of Colombian Digital ID (Cédula Digital)

The Colombian digital ID app (Cédula Digital) is the latest identification proposal from the National Civil Registry (RNEC). The idea is that it will be the master key to digital transformation in Colombia by enabling interoperability between government digital services, interconnection with financial services, and the receipt of official notifications and documents.

With this development, the RNEC also seeks to transform the way we identify ourselves: the Digital ID Card should be used whenever it is necessary to verify a person’s identity on the internet. These new possibilities in its implementation raise questions that we – at Karisma – believe need to be addressed with a critical and reflective eye.

Investigate in eight directions

“Making the invisible visible” has always been a goal of Fundación Karisma’s Digital Security and Privacy Laboratory (K+Lab). When we talk about technologies such as election software, websites, or applications, transparency is not always guaranteed. Therefore, technical research by independent entities is a powerful complement to studies that can be conducted through the analysis of public information, contractual documents, and even responses to requests for information.

We analyzed the case of the Colombian digital ID app (“Cédula Digital”) during the second half of 2024 and early 2025. Very little is known about its functionality, and public information about how it works is scarce. To find out how it works, what it does with the information it collects, and where it sends our personal datas, we conducted research along these eight lines:

Two of those lines have been the analysis of the traffic generated by the application, i.e., the data sent and received by the Digital ID app. We did this using the open-source tools PCAPdroid and Pirogue Tool Suite, which were essential for understanding what data the application was receiving and sending and where it was going.

Findings and existential questions

One of the most important findings of this research was to show how K+Lab methods can engage with and complement social research. In this academic article, Joan López and Juan Diego Castañeda analyzed the contractual relationships between IDEMIA and RNEC and discussed the difficulties of making strict distinctions between the public and private spheres when the state delegates the operation of technological infrastructure to third parties. 

The technical analysis we present reveals the central role of the multinational company IDEMIA in the development, maintenance, and administration of the application and its infrastructure. Furthermore, it highlights how the methods used allow us to uncover this relationship even though there is no mention of the company on the Cédula Digital website or on the Google and Apple store pages. This main course, which is sold to us as “exclusive” or “haute cuisine,” ends up being a recipe for a franchise repackaged as original. They do not name their chef, nor do they tell us about the origin of their ingredients. 

In this paper, we identify that the Cédula Digital application is, in fact, a local adaptation—a rebranding for Colombia—of a generic application called Mobile ID, developed by the company IDEMIA. Furthermore, as the RNEC indicated in its response to a request for information: “IDEMIA has access to the computer servers that store the Cédula Digital databases and other servers involved in its operation.” Several elements indicate that only this company knows how to manage the Cédula Digital databases (although the RNEC has an application interface to access them). Therefore, in accordance with Colombian legislation on personal data protection, we believe that IDEMIA is the “encargado de tratamiento de datos” (entity that processes personal data on behalf of the Data Controller).

Traffic analysis showed that the app sends data to two IDEMIA domains, but also to the data analytics and marketing service Localytics and to Google, which also raises privacy concerns.

Although the application has good security measures, we identified some moderate vulnerabilities that we submitted to the Registraduría in the detailed technical annexes to our report. This detailed version of the annexes will not be made public until these vulnerabilities have been resolved. 

Finally, the research highlights some accessibility barriers for users. For example, the need to have very recent mobile devices with a minimum operating system of Android 12 (released in October 2021) and iOS 17 (announced in June 2023), which excludes a portion of the Colombian population. On the other hand, activating the app with facial recognition presents a high level of difficulty for people with visual impairments, even when these are moderate. 

But beyond the findings, we believe that this research should open up a broad debate that addresses, among others, the following questions:

  • Who should define, and based on what criteria, the acceptable level of dependence of a public entity—such as the Registraduría —on a private company—such as IDEMIA—for the fulfillment of constitutional and legal functions—such as official identification?
  • When such dependence is considered excessive or unacceptable, how can it be reduced without affecting service continuity or compromising the security and privacy of individuals’ data?
  • What options exist for online identification and authentication associated with the Digital ID app that do not rely on biometric data?
  • ¿Which of these alternatives could pose the least risk to people’s fundamental rights, especially in terms of privacy, autonomy, and non-discrimination?
  • What is the role of digital advertising and data analytics companies we identified in the Digital ID app ecosystem?
  • How can we institutionalize external, independent, and technically robust audits in state projects that have been outsourced or that involve private intellectual property, in order to build public trust and guarantee people’s rights?

It is easier to give lessons or advice than to solve problems in concrete terms, and we do not claim to have the answers to all these questions. However, we believe it is essential to raise them in a public and transparent debate that will enable better approaches to be taken to the digitization of services associated with fundamental rights. 

Read, download, and share our full analysis of the Digital ID application here:

Análisis de la aplicación Cédula DigitalDescargar
Anexos_Informe_cedula_digital_publicosDescargar

Follow us on X, Fundación Karisma on Facebook and YouTube, and @karismacol en Instagram and Tik Tok.

If for any reason this post is not accessible to you, please write to us at comunicaciones@karisma.org.co and we will make the adjustments within our power so that you can access the content.

Please indicate the title of the content in the subject line of the email, for example: The identity of Colombian Digital ID (Cédula Digital).

It’s essential to put the issue on the agenda and fuel the conversation. Do you work in the communications media? Write to us at comunicaciones@karisma.org.co.