Data Sovereignty and Trusted Online Identity

A Frank Discussion of the Pitfalls and Possible Antidotes

Array

COVID-19 has intensified privacy, security, and sovereignty concerns. The current vaccination passport discussions show that identity is at the center of the current debate. While online IDs are the key for many digital services, the question is who should design and control them?

IEEE SA co-organized a discussion panel at the Pan-European dialogue on Internet Governance (EuroDIG) conference, an event known for its frank and interactive discussions of public policy issues surrounding internet governance. Messages coming out of the discussions will be presented at the Internet Governance Forum (IGF) later this year.

Image of the EuroDIG campus.
Image Source: EuroDIG 2021

The panel discussed the creation of self-sovereign identification from three viewpoints – the government, the private sector, and the citizens.

  1. The government could lead the way, with a centralized public key infrastructure. The EU EIDAS regulation, adopted in 2014, established electronic identification based on such an infrastructure. Uptake has been a challenge with this approach, however. Some countries have seen high adoption rates, such as Estonia, but other countries, such as Germany, still see a low adoption rate.
  2. In a second scenario, the private sector could potentially lead the effort — there are already companies that provide us with secure ID. Some people, however, would be concerned about data privacy.
  3. A third path could involve handing back some control to citizens. One example of such an approach is the European Self Sovereign Identity Framework developed by the EU Commission. Here the control lies neither with a centralized government service nor with private companies, but is given to the citizens.

Dr. Clara Neppel, Director of IEEE Europe, and Moderator of the session asked Pēteris Zilgalvis, Head of Unit, Digital Innovation and Blockchain, Digital Single Market Directorate, DG CONNECT, European Commission and Co-Chairman of the European Commission Task Force on Financial Technology, how can we minimize the data that is needed for the services and what he thought of the EU’s Self Sovereign Identity Framework (ESSIF). Mr. Zilgalvis noted that Europe intends to update the EU eID and make the most of emerging decentralized ledger technologies to put Europe at the forefront of both the protection of fundamental rights of its citizens and at the forefront of developing innovative technologies. The proposal for the updated eIDAS regulation establishes, among other things, a framework for European digital wallets, enabling citizens to link their national digital IDs with their driving license, diplomas, bank accounts, and more without storing them with a centralized operator.

On July 5th, the European Union announced that it was creating a framework for digital identity that could serve as a secure European eID—the European Self-Sovereign Identity Framework (ESSIF). The intent of ESSIF is to make it easier to access public services and do business across borders within Europe. ESSIF will implement a generic self-sovereign identity (SSI) capability, which will allow users to create and control their own identity across borders without relying on centralized authorities. The EU already had an electronic authentication system regulation (eIDAS), approved in 2014 that will be amended to support ESSIF and address issues of poor uptake and lack of mobile apps to support it. There are also plans to support the creation of digital wallets for mobile devices. Users, when asked to share information, could then use the wallet to select the exact information to share.

Decentralized ledger technology-based self sovereign ID solutions are one of the technological solutions available within the framework. ESSIF allows the member states and the markets to choose the complementary mix of technologies they would like to use. These solutions will underpin the new EU eID, which aims to put citizens in control of their own digital identity. Zilgalvis noted that this approach fits well with the ideology of the EU, which focuses on protecting individuals’ privacy and fundamental rights.

  • SSI – Self Sovereign Identity (SSI): The identity created and managed by an individual (not by a third party), for themselves.
  • Electronic identification (eID): eIDs gives consumers and businesses a way to prove their identity, electronically. It is meant to save people time and help businesses expand their customer base. With an eID in Europe, citizens can, for instance, open a bank account in another country using their national ID.
  • Electronic Identification, Authentication, and Trust Services (eIDAS) Regulation: The “Regulation on electronic identification and trust services for electronic transactions in the internal market” is a European regulation adopted in 2014 that includes “electronic identification” (eID) and “electronic Trust Services” (eTS) meant to help Europeans conduct their business within Europe and that is now to be amended to support decentralized solutions with the introduction of qualified electronic ledgers.
  • European Blockchain Services Infrastructure (EBSI): The European blockchain services infrastructure which is meant to deliver EU-wide cross-border services using blockchain technology. Based on a ministerial declaration signed by all 27 member states and Norway and Liechtenstein, the first use cases of the framework will be deployed this year.
  • European Self Sovereign Identity Framework (ESSIF): The European self-sovereign identity framework (ESSIF) is part of the European blockchain service infrastructure (EBSI). ESSIF focuses on user control, and is meant to remove data silos and provide interoperability.
  • Trust service for electronic ledgers: This is a new trust service under the Commission proposal ensuring the trustworthiness of electronic ledgers under the eIDAS regime. It will underpin self-sovereign identity solutions. (ESSIF is one use case of the European Blockchain Services Infrastructure [EBSI] delivering EU-wide cross-border public services using blockchain technology)
  • Digital Identity wallets: There is a legislative proposal for establishing a Framework for a European digital wallets, which will enable citizens to link their national digital identities with proof of other personal attributes (e.g., drivers license, bank account, degrees.

ID Verification May Not Produce the Results We Hope For

Fellow discussant, Cecilia Alvarez, Facebook’s EMEA Privacy Policy Director, pointed out some difficulties with the current situation, however. She commented that there has been a proliferation of proposals calling for various forms of authentication that include, or are conflated with, ID Verification (IDV), and that these authentication mechanisms, while they are meant to help curb online speech harms, facilitate government services, protect youth, and address fraudulent online activities, might not.

She pointed out that risks to people’s access, well-being, and privacy must be balanced with each other when determining whether authentication is appropriate (and if so, what method). While it is thought that ID verification through the de-anonymizing of users will protect online speech, Ms. Alvarez noted that forcing people to show their ID to others might undercut individuals’ ability to enjoy their fundamental right of expression. She also said that, surprisingly, identifiability has not been shown to be an effective remedy for harmful speech online and suggested that perhaps there are alternative models that could be effective. With respect to protecting youth, ID verification is problematic, she continued, because so many youth do not have identification and as a result, the verification system is not necessarily providing the solution.

Mandatory ID verification requirements could magnify inequalities. Requiring people to verify their identity may exclude those who do not have access to the ID system like youth and older people, or those who cannot afford devices and internet connections. Nishan Chelvachandran, Founder and CEO, Iron Lakes, Chair, Trustworthy Technical Implementations of Children’s Online/Offline Experiences Industry Connections Programme, IEEE Standards Association, and Co-Chair, AI-Driven Innovations for Cities and People Industry Connections Programme, IEEE Standards Association remarked, “We are building services for people who have access to these [digital] solutions, but what about people who don’t have access to these services, like minority communities and lower income groups?” To begin to address this, Mr. Chelvachandran recommends adopting a flexible or risk-based approach in identifying which method to use and whether there are alternatives, in order to take into account these inequalities.

“When building a system that relies on access to these solutions then how do these [unconnected] people access the system? This can actually perpetuate that kind of divide.”

– Nishan Chelvachandran, Founder and CEO of Iron Lakes

Ms. Alvarez pointed out that, according to World Bank data, 1 billion people in the world lack access to ID documents, and one million of those people are in Europe. We need to consider offering more than one solution, or more than “one basket” in which to put our eggs, as she put it, “We need to think about the marginalized people and need to think about them when we provide baskets.”

What to do?

Mr. Zilgarvis recommended that we should not put responsibilities on citizens to determine what is safe or not. Their fundamental rights must be covered. Then we need to give people easy to use tools/labels.

“There is an important point to make here while supporting user empowerment and individual autonomy: It is not to put responsibility onto the citizen— ‘Here it is. Take care of yourself. Go look at these different frameworks. Try to figure out what’s safe and what is not.’ The legal framework has to be simple and protect citizens from things that violate fundamental rights.”

– Pēteris Zilgalvis, Head of Unit, Digital Innovation and Blockchain, Digital Single Market Directorate, DG CONNECT, European Commission

People need to know how and what data is disclosed, which will be an option under the new ID. Self sovereign ID solutions like ESSIF create a secure European ID. Citizens control how and what data is shared. Decentralized ledger technologies provide an option under the new eID regulation. We have to give citizens the tools to realize their autonomy/rights in this area, and the interface cannot be too technical, nor should it be too legally complex and filled with boilerplate that benefits no one. Local regions/states are developing systems that make sense for them.

Mr. Chelvachandran noted that the ESSIF is a step in the right direction, to explore the uses of multi-blockchain networks for accountability, and to create a self-sovereign identity capability, decentralising authorities. However, these systems are either built by the government or built by the private sector and the people are usually just the “end user”. He advocated for involving users in creating the tools, so companies can manage personal data with transparency and with respect for people’s rights and he wondered if the poor uptake seen with previous government solutions was due to the fact that citizens were not involved in the design process? If so, how can they be better involved?

“We have seen that these technological solutions, and even frameworks, are bilateral – they are either built by the government or by the private sector. The end user — the citizens, the humans in the formula — are not involved in the process. Something is delivered to them and they use it, be it a service, a government service, or public sector deliverable.”

– Nishan Chelvachandran, Founder and CEO, Iron Lakes

How do we actually involve citizens, though, and how do we do so in a large scale way? Mr. Chelvachandran said that, though it hasn’t been done yet, “what is really key is that we need to create a hybridized approach to really incorporate citizens into the design process to work together with government and private sector to design a solution. This nexus can fuel innovation in an equitable and accessible way.”

When we talk about a citizen approach the important thing to consider is if the eID solutions we are developing address the risks, and solve the problems that people actually face. Within certain communities such as older people, rural residents, and minority communities, for example, the uptake of mobile phones is low compared to the people who are better off socio-economically, so apps, multifactorial identification, and single sign-on may not be appropriate solutions.

Furthermore, people are different. One person might be willing to consent to their data being used by the government but not a private entity. Another person might want to minimally share. What is important is for people to know how their data is being used and stored, and to have a mechanism to allow the individuals themselves to determine who uses their data and for what purpose. Having these considerations addressed in the design stage and through to the solution is key, and the only way to do that is to involve citizens in the process.

Transparency is essential for making the services trustworthy. All agreed that people should be aware of what is happening with their data. Ms. Alvarez was asked what actions she thought should be taken to ensure that the user can know about consent acquisition management and use of their personal data.

All organizations are facing the challenge of how to deliver transparency in an effective way. Ms. Alvarez pointed out that companies feel they need to address all of the elements of a given law in the terms and conditions, but perhaps the solution is explaining the things that matter the most, not everything. People need to be informed enough, she said. We need to consider how to do that simply, and not in a misleading way.

“If a company has the obligation to address certain things that are listed in the law, you need to address them. And therefore, there is tension between information, executive information, and transparency. I think to be transparent, doesn’t mean to explain everything.”

— Cecilia Alvarez, EMEA Privacy Policy Director, Facebook

Having drafted privacy policies for more than 20 years, Ms. Alvarez admitted that those policies were not so successful in delivering transparency. They are long and complex. She said she needed to create them because the law required her to do it and noted that there is definitely room for change. Currently, online terms of service are not usually modifiable—if you do not agree to all of the terms, then you cannot use the device—and most people do not read them. Ms. Alvarez recommended making the information contextual, by showing them, at the moment they are asked to provide personal data, what data is requested and what will happen to it.

How to make the information digestible? Nutrition Labels. A participant suggested that both the public and private sectors should work to make the concepts easier for the user to understand, and provide something like a nutrition label to indicate to people in a simple way what is happening with their data. The discussants agreed that it was a good idea. Ms. Alvarez added that on an airplane, people receive very important information about what to do in case of an emergency on a simple two page card that uses primarily illustrations, in order for one to know what to do in case there is an accident. She noted that Google is making something similar to help inform a broad audience about their AI models.

Airplane Safety Instructions

“If we can have two page leaflet drawings for the airplane, maybe we can do this for the patients [users].”

— Cecilia Alvarez, EMEA Privacy Policy Director, Facebook

Standards Help Develop Interoperability

With authentication methods proliferating and data stores growing, the discussants recognized that governments are hard pressed to keep up with the pace of innovation. Legal frameworks for data governance take time to create and to pass through the legislative system. Discussants noted that frameworks are often built based on a certain technology, and then technology changes. Mr. Chelvachandran emphasized that “The framework needs to work irrespective of the technology, and interoperability is key.” “Privacy-preserving technology, such as blockchain, in itself cannot be relied on,” said Mr. Chelvachandran.

“The appropriate frameworks, living legal instruments and standards on interoperability must be created,on which the technology can be maximized in a universally inclusive, progressive manner.

Mr. Zilgarvis noted that “building standards represents extra work on top of building the system itself, but standards are absolutely essential to the functioning of the system. There is a need to make things simpler for practitioners and we are trying to facilitate this.” Noting that DG Connect supports standardization certification, Mr. Zilgarvis added, “We need to figure out a way of standardizing, allowing for both the normalization of data and the interoperability of data whilst including agency and consented use of such data in those processes.”

Mr. Chelvachandran concluded by saying “We must strike a balance. We need to allow the private sector to innovate sustainably and inclusively while also letting the government support citizens.” We must also include citizens in our design processes and governance frameworks, so that the balance can return to the main driver, the citizen. “We need less talking and more doing,” he said. “The impetus is there, but we need to start.”

Looking to the future, a solid self sovereign identity framework can be a strong step toward supporting data pooling and data sharing, building trust in and scaling distributed ledger technologies explained Ms. Neppel, and we all agree that the infrastructure must be in line with people’s fundamental rights as a starting point. There is no one solution. We need to involve all stakeholders—the government, the private companies, as well as the citizens—in order to successfully handle important issues such as interoperability, inclusion, and/or certification.

Watch the recording of the session (02:12:00-03:24:00) or check out the session webpage — Data Sovereignty and Trusted Online Identity – COVID-19 Vaccination Data.

Author: Kristin Little

Share this Article