By Tatiana Revoredo
Excerpt from my lecture about Digital Identity at the World Legal Summit (WLS2019)
The ability to prove who we are Few central things work more effectively to a society and economy than the identity. Without means of identifying one another and our possessions, we would hardly be able to build great nations or create global markets [1].
As more associated people, devices, and personal data go online, there is an increasing focus on one essential element of this new digital environment - our identities.
The ability to prove that we are whom we say we are is more and more determining for our opportunities of establishing trust in each other and make significant interactions in the digital economy.
If correctly approached, it represents transforming opportunities, such as access to basic services and more customized digital experiences, better health and well-being, better trackability in the supply chains, security for the citizens, and global protection of the biodiversity.
However, we are still learning what "identity in a digital world" means.
We have also been developing policies and practices regarding the best way of collecting, processing, and using data related to identity in the form of enabling individuals without violating their freedom or causing them any harm. There is significant space for improving the way identity data are handled online and how much control the individuals have in the process.
Here, it is worth highlighting the fact that:
When thinking about digital identity, we need not see it as a unique thing. Digital identity is the total sum of all the attributes that exist upon us in the digital world, an ever-growing and evolving collection of data points.
There are persistent issues - increasingly serious - in the way the digital identity works today.
Overview of the Current Identity System in Brazil
Nowadays, the identity system in Brazil is still, in its majority, analogical and quite fragmented.
For a better idea, the biometrical civil identifications are not unified in the country, i.e., Brazil does not have an integrated registry of fingerprints.
Therefore, citizens can take different (physical) identity cards in any place in Brazil.
That means that a malicious person may take multiple (physical) identity cards in Brazil - one in each state. All of them will have the same fingerprint, but with different names and data, due to the lack of biometrical integration among the states.
For instance, a "Potiguar" - a person who was born in the state of Rio Grande do Norte, in the North of Brazil - may use data of a "Paulista" - a person who was born in the state of São Paulo - to make his or her identity registration in Rio de Janeiro.
That occurs because the biometrical civil registry is a statewide attribution (not federal), the reason why each state has its proper regulation and its level of maturation — not mentioning that it is an expensive and troublesome process.
Members of the military forces are in a separate identification data bank, which the other state agencies can't access. If the police arrest someone without an identification card, the person will then have registered the information given at the occasion of the arrest.
Nevertheless, digital identification has advanced in Brazil.
Brazil is one of the few countries where the state has created an infrastructure of public keys - Infraestrutura Brasileira de Chaves Públicas — ICP-Brasil (the official PKI in Brazil.) - legally established by the provisional measure 2,200, emitted for the last time on August 24, 2001.
Another positive point is that besides the digital identity, the Brazilian method also allows checking the expiration date of the signature and the integrity of the documents.
Furthermore, since 1997[2], Brazil has been preparing to launch its national service of digital identity and has advanced in a schedule of data interoperability.
In 2008, the Superior Electoral Court (Tribunal Superior Eleitoral - TSE, in Portuguese) started registering the voting citizens, now with their biometrical information.
Later, in 2017, the DNI project was approved by federal law - Lei Federal No 13.444/2017 [3] - which created a National Civil Identification - ICN - Identificação Civil Nacional. The tests were performed in 2018 with the TSE team testing digital identification and members of the parliament and federal civil servants who registered in May 2018.
Using the biometric databank of the Electoral Justice as a base, around 100 million Brazilian citizens - from a total population of over 210 million people - had their biometric data captured by TSE up to now. Besides the information regarding voting cards, the Brazilian repository of the digital ID is being launched with data on social security. As stated by TSE, the data of the ICN program could be used by the National Institute of Social Security (INSS - Instituto Nacional de Seguridade Social - to
reduce fraud on the benefits.
According to the agency responsible for the program of National Civil Identification - ICN [4], The Superior Electoral Court - TSE, Brazilian states are currently being evaluated and prepared for the implementation of the national digital identification, expected for November of this year.
The project foresees the inclusion of other documents, such as driver's license, birth and marriage certificates, as well as data of public health registers and, eventually, identification cards - which every Brazilian citizen already owns.
It is expected that the digital identification in Brazil will be totally implemented in 2020.
The International Scenery
The United States of America
According to the report [5] published by The Better Identity Coalition - an organization focused on the development of the best solutions for the verification and authentication of the identity, US$ 16.8 billion were lost in the United States due to fraud of identity in 2017 and in the same year there was an increase of 44.7% in the number of data violations.
Almost 179 million of registers containing personal information have been exposed, which illustrates the inadequacy of the current identity systems.
The report presents a set of recommendations for consensual policies, intersectoral, and agnostic of technology ("Policy Plan") for approaching the current inadequacy and improving the digital identity in the United States.
Estonia
Estonia has one of the most advanced systems of digital identification in the world.
Much more than an identity document with a legal picture, the mandatory national card also offers digital access to all the electronic secure services of Estonia. 98% of the Estonian has a "cumulative" digital identity, 67% regularly uses ID cards, and 88% frequently uses the Internet [6].
The card chip carries embedded files and, using 2048 bits public-key cryptography, can be used as definite proof of identification in the electronic environment.
Here are some examples of how it is regularly used in Estonia [7].
legal travel identification for Estonian citizens who travel inside the EU
national healthy security card
proof of identification when logging in bank accounts
digital signatures
i-vote
checking medical registries
presenting tax declaration, among others. Estonia sees the next natural step in the evolution of the electronic state as a total transfer of essential services for the digital way.
World Economic Forum
The World Economic Forum has an initiative called Shaping the Future of Digital Economy and Society [8] consisting of a global platform of cooperation to establish a sustainable, inclusive, and reliable digital economy.
This global platform of cooperation has the aim of reaching six results on a worldwide level. They are:
Access and adoption - everybody - with no geographical differences of gender or income - may access and use the Internet.
Responsible digital transformation (businesses, governments, and leaders of the civil society must act with responsibility and competence to promote a sustainable digital transformation.)
Fit for purpose, informed governance (worldwide, regional, and national policies are informed by pieces of evidence and well equipped to deal with the transnational nature of the digital connectivity.
Safe and resilient people, processes, and practices (all individuals, institutions, and infrastructure are resilient to vulnerabilities created by the increase of digital connectivity.)
Digital identities focused on the user and interoperable (people can access and use included systems of digital identity that enhance their social and economic well-being.)
Reliable data innovation (institutions may share data to create social and economic value, respecting the privacy of digital citizens.)
Taking these six guidelines as a base for an inclusive and reliable sustainable digital world, a digital economy, at the Annual Meeting of the World Economic Forum of 2018, in Davos, a diversified group of interested parts, public and private, made the commitment of cooperating in a shared way to promote good digital identities centered on the user.
Thus, the Platform for a Good Digital Identity has come up, aiming to advance the global progress towards digital identities that satisfy at least five criteria.
Criteria for the Platforms for a Good Digital Identity
According to the World Economic Forum, a good digital identity must be fit to the purpose, inclusive, useful, safe, and offer options to the individuals.
Such will be done through the advance of the collaboration in six significant areas [9]:
Moving the emphasis beyond the identity for all for identities that provide value to the user.
Creating metrics and responsibility for a good identity.
Creating new models of governance for ecosystems of digital identity.
Promoting the stewardship of good identity
Encouraging partnerships around the best practices and interoperability, when appropriate.
Innovating with technologies and models and constructing a library of successful pilots.
Indicating paths
Build up new structures of identification based on the concept of decentralized identities. Due to a combination of technological advances, including an increasing sophistication of smartphones, advances in cryptography, and the advent of blockchain, now, an interesting subset of decentralized identity is feasible.
Searching for a self-sovereign decentralized digital identity system where the user controls not only the identity but also the data associated with it, what is known as Self Sovereign Identity (SSI). On an SSI approach, the user has a way of generating and controlling exclusive identification, as well as some facilities to store identity data. The users become free to use the identity data they like. These may be verifiable credentials, but they may also be data of a social media account, transactions historical in an electronic trade website, or certificates from friends or colleagues. It has no limits.
Awareness that digital identity is the total sum of all the attributes that exist about us in the digital world, a collection of data in constant increase, and points in evolution.
Establishing international coordination and the harmonization of patterns of identity.
Instructing consumers and companies regarding better digital identity solutions.
Governments should seek partnerships with the industry to educate consumers and companies regarding modern approaches and better practices in identity protection and validation.An example of a potential partner that we have to consider is the National Cyber Security Alliance (NCSA), which already has a strong portfolio in the handling public-private partnerships to make the public aware of cybernetic security.
Blockchain — powerful solution for different aspects of the decentralized identification structure
Regarding perspectives and insights about digital identity, there are unrelenting - and more and more serious - issues in the way digital identity works today.
Most of the problems related to digital identity are not associated with technology, though, but to the processes.
The shift from a centralized Internet (Web 1.0 and 2.0) to a decentralized Internet (Web 3.0) has already begun. It is not by accident that many countries have adopted a paradigm of decentralized identity, especially Europe - which goal is to put the user in the center of the structure, thus removing the need of third parties emitting and managing identity.
In the decentralized identity world, the users create their own digital identities. That usually starts with a user creating his or her own exclusive identifier or identifiers, and then attaching information to that identifier in the way of enabling the validation that it is genuine. That done, the user can collect credentials from trusted authorities, and produce them when necessary.
While Blockchain is not necessary for decentralized identity, it may be a powerful solution for different aspects of the decentralized identity structure. It could work as support for the creation and registration of DIDs, notoriety accreditation, a supply of a decentralized infrastructure for the access control and consent of use of data, and potential propagation of credentials to smart contracts, for instance, to make automated payments.
Although technical and pattern developments are, with no doubt, significant for the implementation of a new digital identity structure, as well as in so many other aspects of technology, the legal and regulatory issues are fundamental. Even more, if we consider that our identity touches so many critical elements of our personal and economic lives.
Takeaway
Finally, for promoting the ideal digital identity scenery, the public policymakers could:
1 - Clarify the "gray area" of regulatory issues, especially around the position of signatures based on new technologies like blockchain and timestamps under elDAS.
2 - Create the structure of decentralized digital identity while instructing the government agencies and encourage them to get involved in the construction, for example, with issuers of verified credentials.
3 - The government can and must play an essential role as an issuer of verified credentials.
4 - Legislators must modernize the legislative framework referent to the platforms of digital authentication and reduce the barriers to the adoption of innovative security systems.
5 - Elucidate open issues around decentralized identity.
6 - The new legislation regarding privacy, data protection, and security should not be written in such a broad way that could prevent the use of promising technologies for validation based on risks.
7 - Governments need to give special attention to cybersecurity and the migration of cybernetic risk, creating detection systems and protection against invaders, practicing cooperation with public and private institutions, thus significantly contributing to the awareness of the users, and taking part of the intense international collaboration.
*****
I wrote this text for my participation in the panel "Digital Identity" at the World Legal Summit (WLS2019), which took place in Belo Horizonte, Brazil, on the 1st of August, 2019. I thank so much the Law Commission for the Startups of the OAB-MG for the invitatio
Notes:
[1] Blockchain and Digital Identity — European Observatory
[2] when it was determined to merge registration systems at the state level into a future unified ID registration.
[5] Better Identity in America: A Blueprint for Policymakers” (the “Report”): https://static1.squarespace.com/static/5a7b7a8490bade8a77c07789/t/5b4fe83b1ae6cfa99e58a05d/1531963453495/Better_Identity_Coalition+Blueprint+-+July+2018.pdf
About the Author
Tatiana Revoredo – CSO at theglobalstg.com. Liaison at European Law Observatory on New Technologies. Court legal Advisor at São Paulo Court of Justice.
LinkedIn: www.linkedin.com/in/tatianarevoredo
Comentarios