DIGITAL IDENTITY: Discussing a European Digital ID

17-06-2021

 

On the third of June 2021, the European Commission presented a proposal for a "trusted and secured" Digital Identity

In the framework of the 2030 Digital Compass, the scheme has one objective: reaching the milestone of making all key European public services accessible online, by the next decade.

To that end, the Commission plans to establish a cross-border digital identification, authentification, and certification system, allowing citizens, residents, and businesses to prove their identity or share electronic documents. Thierry Breton encapsulates the European Digital Identity as a technology “giving a choice to consumers, a European choice”

Digital identity is a straightforward concept: it refers to the identification of peoples by means of digital information, either self-created by the user, provided by the government or a private entity. 

Three varieties of digital trails supply information on an individual : 

  • Profile traces: the user consents to share information on their social media, for instance by updating their relationship status on Facebook; 
  • Browsing traces: the user unconsciously shares contextual information on their behavior by browsing the web; 
  • Declarative traces: the user shares information on what they think by publishing blog posts, videos, sending emails, or tweets. 

Until the mid-1990s, digital identity, as a concept, had no social resonance. New technologies, such as the ledger or biometrics, force a paradigm shift: now, issues concerning the governance models of databases and data collection processes are brought up to the attention of the general public. Concerns all lead to one crucial question: Does digital ID endeavor to make citizen’s daily life easier, or is it created in the sole pursuit of prompt identification?

Mirroring ongoing discourses, the exponential use of social networks, during the 2000s, may appear to be paradoxical, but it quite accurately nails the Zeitgeist of contemporary societies. Irrepressible, the desire to see locks the cells of a digital panopticon. Yet, citizens are starting to inquire if the digital identity's perimeters could be reformed. Concurrently, the SDGs advocate for the identification of all people in need: digital identity may be selected as an adequate solution. 

Breaking down the inner workings of digital identity uncovers guidelines for a technology that serves citizens, striking a balance between transparency and anonymity. 

 

Digital identity has many forms, impacting users’ privacy in varying degrees. Some examples include identification registries, smart cards, and digital wallets. 

Three mechanisms assess the authenticity of an identity. Known information, such as a password or the answer to a security question. Certifications, such as the scan of ID documents. Biometric data, such as a fingerprint. Aadhar is the largest national ID system in the world. In Inda, it gathers citizens' biometric and biographical data to issue easing access to public services. In August 2016, a ruling by the Supreme Court of India specified that private banks could not read the data contained in the cards. Thus, for now, Adhar is bounded to governmental processes, defining the framework of digital identity.

Law and constitutional rights winds up the governance of digital identity. As argued by Elizabeth Renieris and Dazza Greenwood, personal data must be protected under the human rights regime. The European Charter of Fundamental Rights already issues a framework in favor of citizens' privacy rights. Article 8 argues that personal data is only shared “on the basis of consent”

Adoption of a legal framework could additionally silence the sirens of state surveillance. Indeed, digital ID schemes do offer governments the capacity to monitor citizens, track dissidents or use access to public services as political leverage. Reuters' special report on the Venezuelan digital ID, la Carnet de la Patria, or fatherland card, uncovered how digital identity undermines democracy. Inspired by the Chinese smart card, Venezuela set up its own structure, and the Chinese firm ZTE assisted in the establishment of the Carnet de la Patria’s databases. 

The European digital identity's model of governance must abide by European values

One identity scheme does accept as its founding principle the users’ consent. The self-sovereign-identity, or SSI. In an SSI system, data is stored in digital wallets. Individuals share their identification at their own discretion. SSI is decentralized: users are responsible. They choose where, why, and when to disclose their digital ID, on the postulate of trust, context, and consent. 

Michael Garglia, Christopher Mellon, and Tim Robustelli coined the potential of SSI: “[It] makes an identity in the digital world function more like identity in the physical world”. The digital identity would be unique and persistent.  Moreover, a cryptographic technique entitled zero-knowledge-proofs (ZKPs) safeguards additional data, unlike a traditional ID document.

Having to prove the compliance to certain biographical attributes, such as age, supplying a physical ID, an individual necessarily gives up parasite data to a third party: date of birth, height, gender, or place of birth. ZKPs authentify the possession of the sole, required credential, without revealing non-essential personal data  “irrelevant to a binary yes-or-no ID transaction”. SSI's key feature is the possibility to delete the data stored on the platform.‚Äč

Will the European Union Digital Identity be an SSI? An encouraging occurrence is the mention of digital wallets. 

GEYC, a founding organization of Prisma European Network created GEYC-ID, on the 29th of June 2020. In an interview for PRISMA, Diana Ionita, head of digital at GEYC, answered PRISMA's inquiry on the GEYC Community digital ID. 

 

Why is it relevant for the members of the GEYC community to be able to create their digital identity? 

GEYC promotes awareness about building digital identity and ensuring online safety. Thus, under the framework of the KA2 project Youth Workers 2.0, we have introduced the GEYC-ID, a unique identification number for the Community members. The advantage of GEYC-ID is that the GEYC Community members can control how their data are stored, which offers increased security and control over their personal information. 

What is the model of GEYC-ID? Is it a self-sovereign identity? 

GEYC-ID is a self-sovereign identity, where the Community members have control of their digital identities: they modify or update their personal data and give or cancel their consent over those specific pieces of information. Moreover, if members want to delete their GEYC Community account they can do so by simply accessing the assistance form on geyc.ro/comunitate

What kind of data is stored on GEYC-ID? 

Name, surname, email address, gender, date of birth, phone number, current location, professional profile (educational background, profession, volunteering experience, languages), dietary requirements, medical condition, emergency contact, and social media profiles.   

How does GEYC-ID secure the data of its users?

Besides the fact that GEYC-ID shortens the application process, as it ensures that the participant doesn't have to give their personal data for each application (name, surname, phone, number, date of birth, location, etc.) but rather focus on describing their motivation and why the specific opportunity is relevant for them, we reduce the risk of their data being intercepted by an insecure Wi-Fi connection they may be connected to when filling out an application form. This means that it ensures the non-discriminatory process, indeed the selection is founded on the expertise and/or motivation and not on the name, gender, age, or other personal characteristics. Also, only the data of selected participants is used for further steps in the process, and can only be accessed by staff members with data protection authorization. 

What is the identification method of GEYC-ID?  

A unique identification number automatically created is sent to the GEYC Community members. Using that no. in the application form, they don’t need to fill in any of the personal data already stored. 

How does GEYC-ID conform to the European digital identity proposed by the European Commission? 

Ensuring that the personal data that we require for our activities are stored securely is a priority of GEYC. Since May 2018, we have implemented several changes in our procedures in order to comply with the GDPR. We have also adopted our Data Protection Procedure [GM-09], which states the principles that guide our activities in terms of the GDPR, categories of personal data we process, purposes for which they are processed, and rights of the people that agree to share their data. The procedure is available at geyc.ro/data-protection.