Modern public management cannot work on paper. The citizens know it, the civil servants know it, the civil servants who still sign on paper eight times to approve a license also know it.
The problem is not digitizing, on the contrary: digitizing is necessary. The problem is to do it without governance.
Digitalization already has a legal framework. What is missing is criteria
In Latin America, practically all countries have regulations that enable, if not require, the digitization of public administration. Argentina has Law 25,506 on digital signature and Decree 733/2018 that drives the depapelization of the State. Uruguay has Law 18.220 on electronic documents and electronic signature. Chile, Colombia, Mexico, Peru and Brazil have their own equivalent frames.
There is no legal excuse for continuing to use paper. The authorization is there. What is missing, in most cases, is a serious implementation plan with real controls on how the data generated by these systems are safeguarded.
Because when the state digitizes, it not only gains efficiency. It also concentrates sensitive information of millions of people in systems that, if not well protected, become targets.
What happens when digitalization lacks governance?
In 2025, the organization Derechos Digitales published the report “Identities for Sale”.”, The results of empirical research conducted between October 2024 and February 2025 in Brazil, Peru and Argentina. What they found is hard to ignore.
The researchers identified 27 active groups and channels on Telegram dedicated to buying and selling personal data. We are not talking about names and e-mails. We are talking about ID photographs, fingerprints, vaccination records, credit status, family ties, addresses with a direct link to Google Maps. All accessible with a bot command, in a matter of seconds, upon payment of between 3 and 15 dollars.
The most worrying aspect of the report is not the criminals operating these channels. The most worrying thing is where the information comes from.
The researchers observed that some of the data marketed have formats, coding and institutional watermarks that are compatible with the official records of Argentine, Peruvian and Brazilian agencies. In some cases, Peruvian judicial certificates were generated in real time, on the same date and time as the bot query. The hypothesis that the report does not rule out: in certain cases, bots could be operating with valid institutional credentials.
In other words, the illegal market for Latin American identities may be functioning, at least in part, thanks to vulnerabilities in the State's own systems.
The structural problem is what happens inside
Beyond the legal framework and regulatory bodies, there is a more everyday and more difficult problem to solve: what happens inside each public body when no one is watching.
Agencies that manage large volumes of information often lack comprehensive risk management policies, regular technical audits and monitoring mechanisms on who accesses what information and when.
Some simple questions that most public agencies in the region cannot answer today:
- How many employees have active access to the agency's databases?
- Are those credentials revoked the same day someone changes areas or leaves their position?
- Are there alerts set up to detect bulk or unusual queries on this data?
- When was the last security audit of the systems that store citizen information?
These are not complex technical questions. They are basic management questions. And the available evidence suggests that, in most public agencies in the region, no one is answering them in a systematic way.
The municipalities are the most exposed link in the State.
If there is one level of the State where this problem is most strongly concentrated, it is the municipal level.
National and provincial governments, with all their limitations, have technology structures, systems areas, some level of specialized support. Municipalities, in general, do not. A municipality with a population of 50,000 inhabitants can be managing registers, commercial licenses, construction records, payroll and administrative files with a two-person systems team, outdated equipment and no formal information security policy.
At the same time, that municipality has access to very sensitive data: tax information of its neighbors, health data if it manages primary care centers, civil status records, information on beneficiaries of social programs. The combination of high data exposure and low protection capability is exactly the scenario cybercriminals are looking for.
Size is not an excuse or a protection. A small municipality with poorly configured systems is just as vulnerable as any large agency, except that it has far fewer resources to respond if something goes wrong.
Why agencies cannot improvise
There is an understandable temptation in the public sector: to look for a tailor-made solution. A system that adapts exactly to the procedures of the agency, as they are today, with all its steps, forms and inherited logics. The argument sounds reasonable, because each municipality, each secretariat, each entity has its own particularities.
But A custom-developed system for a specific agency rarely has the resources for maintenance, security updates and ongoing support required for a digital environment that handles sensitive data. When a new vulnerability appears, when a regulation changes, when there is an incident, that system depends on the original vendor remaining available, interested and funded.
Industry standards exist for a reason. Robust software, implemented by other agencies, with active support and regular security updates, is not a luxury. It is the minimum infrastructure to digitize responsibly.
The question any official should ask before implementing a digital solution is not “does it fit how we work today?”. The right question is “who guarantees that this is going to be well maintained in three years, and how do you protect the data of the citizens who are going to live within this system?”.
To conform to a standard is not to resign oneself to it. It is exactly what organizations that digitize well do.
The cost of getting it wrong
More than 116,000 photographs from Argentina's RENAPER were shared on Telegram in 2021. In the same year, another attack compromised the driver's license system database, leaving more than 6 million people at risk. In Brazil, a breach exposed data on more than 223 million people, including records of the deceased.
These are not isolated accidents in large national systems. They are the predictable result of digitizing without the security and governance infrastructure that such a process requires, and the pattern is repeated in agencies of all sizes and countries.
The digitalization of the State is urgent. Citizens need it, efficiency justifies it and the law enables it. But doing it without criteria, without standards and without governance over the data generated is not digital transformation. It is building a bigger problem on top of an old one.
At Wai we accompany municipalities and public agencies throughout the region in digitalization processes that are secure, sustainable and aligned with the standards that this moment demands. If you are thinking of taking that step, we can help you get it right.
