EFF: Digital Identification Must Be Designed for Privacy and Equity

Digital Identification Must Be Designed for Privacy and Equity

With growing frequency, the digital world calls for verification of our digital identities. Designed poorly, digital identification can invade our privacy and aggravate existing social inequalities. So privacy and equity must be foremost in discussions about how to design digital identification.

Many factors contribute to one's identity; degrees, morals, hobbies, schools, occupations, social status, personal expression, etc. The way these are expressed looks different depending on the context. Sometimes, identity is presented in the form of paper documentation. Other times, it’s an account online.

Ever since people have been creating online accounts for various services and activities, the concept of the online identity has warped and been reshaped. In recent years, many people are discussing the idea of a “self-sovereign identity (SSI)” that lets you share your identity freely, confirm it digitally, and manage it independently—without the need of an intermediary between you and the world to confirm who you are. Such an identity is asynchronous, decentralized, portable, and most of all, in control of the identity holder. A distinct concept within SSI is “decentralized identifier,” which focuses more on the technical ecosystem where one controls their identity.

There has been a growing push for digital forms of identification. Proponents assert it is an easier and more streamlined way of proving one’s identity in different contexts, that it will lead to faster access to government services, and that it will make ID’s more inclusive.

Several technical specifications have been recently published that expand on this idea into real world applications. This post discusses two of them, with a focus on the privacy and equity implications of such concepts, and how they are deployed in practice.

The Trust Model

Major specifications that address digital identities place them in the “trust model” framework of the Issuer/Holder/Verifier relationship. This is often displayed in a triangle, and shows the flow of information between parties involving digital identification.

Issuer Holder Verifier Relationship Displayed in a Triangular Fashion with one way relationships between each part

The question of who acts as the issuer and the verifier changes with context. For example, a web server (verifier) may ask a visitor (holder) for verification of their identity. In another case, a law enforcement officer (verifier) may ask a motorist (holder) for verification of their driver’s license. As in these two cases, the verifier might be a human or an automated technology. 

Issuers are generally institutions that you already have an established relationship with and have issued you some sort of document, like a college degree or a career certification. Recognizing these more authoritative relationships becomes important when discussing digital identities and how much individuals control them.

Verifiable Credentials

Now that we’ve established the framework of digital identity systems, let’s talk about what actually passes between issuers, holders, and verifiers: a verified credential. What is a verified credential?  Simply put, it is a claim that is trusted between an issuer, a holder, and a verifier.

In November 2019, the World Wide Web Consortium (W3C) published an important standard, the Verified Credential Data Model

This was built in the trust model format in a way that satisfies the principles of decentralized identity. The structure of a verified credential consists of three parts: a credential metadata, a claim, and a proof of that claim. The credential metadata can include information such as issue date, context, and type.

..

"id": "http://example.edu/credentials/1872",

"issuanceDate": "2010-01-01T19:73:24Z",

"type": ["VerifiableCredential", "AlumniCredential"],

...

The ID section in this VC gives way to a W3C drafted specification: Decentralized Identifiers. This specification was built with the principles of Decentralized/Sovereign Identity in mind, in the context of portability.

...

"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",

"alumniOf": {

...

While these specifications provide structure, they do not guarantee integrity of the data.

Mobile Driver’s Licenses

The W3C is not the only standards body working to build specifications to define how digital identity is built and exchanged. The International Organization for Standardization has an as-yet unpublished standard that defines how a Mobile Driver’s License (mDL) application would function on a mobile device. This also follows the trust model discussed above, and extends it to how our phones could be used in these exchanges of verifying our driver’s licenses.

In person context for mobile driver's licenses, while connected to the internet

This specification isn’t centered on decentralized identity. Rather, it defines mobile portability of one’s government issued ID in a mobile application. It is relevant to discuss as one of the digital identification options different governments have tried. The focus of mobile driver’s licenses gives us a practical way to examine the exchange of data, anti-tampering systems, and data privacy. The specification discusses widely available and agreed-upon standards for dealing with session management, encryption, authentication, and storage.

“Digital First” Identities Could Lead to Privacy and Equity Last

These thorough specifications are a significant contribution to the development of digital identification. But the concept of “digital first” raises major concerns around privacy preservation, safety, and their impact on marginalized communities.

Both specifications recommend data minimization, avoiding collection of personally identifiable information (PII), proper auditing, proper consent and choice, and transparency. However, without a comprehensive federal data privacy law, these are just recommendations, not mandates. Our data is not generally protected and we currently suffer from private companies constantly mismanaging and unethically exchanging data about our everyday lives. Every time a digital ID holder uses their ID, there is an opportunity for the ID issuer and the ID verifier to gather personal data about the ID holder. For example, if a holder uses their digital ID to prove their age to buy a six-pack of beer, the verifier might make a record of the holder’s age status. Even though PII wouldn’t be exchanged in the credential itself, the holder may have payment info associated with this time in transaction. This collusion of personal information might be sold to data brokers, seized by police or immigration officials, stolen by data thieves, or misused by employees. This is why, at a minimum, having a “digital first” identity should be a choice by the citizen, and not a mandate by the government. 

Some of these privacy hazards might be diminished with “Zero-Knowledge Proofs”, which cryptographically confirm a particular value without disclosing that value or associated information. For example, such a proof might confirm that a holder received a degree from a university, without revealing the holder’s identity or any other personal data contained in that degree. The W3C and mDL specifications promote such anonymous methodologies. But these specs are dependent on all parties voluntarily doing their part to complete the Trust Model.

That will not always be the case. For example, when a holder presents their digital identification to a law enforcement official, that official will probably use that identification to gather as much information as they can about the holder. This creates special risks for members of our society, including immigrants and people of color, who already are  disparately vulnerable to abuse by police, border patrol, or other federal agents. Moreover, mandated digitized IDs are a troubling step towards a national ID database, which could centralize in one place all information about how a holder uses their ID. 

One could argue that these specifications do not themselves create national ID databases. But in practice, private digital ID companies that utilized biometric technology to confirm people’s identities are very active in these conversations of actual implementation.The W3C’s Verified Credentials recognize the privacy concern of persistent, long term identifiers about personal information. 

There also are privacy concerns in other applications of verified credentials. In California, Asm. Ian Calderon and Sen. Bob Hertzberg have proposed a bill (A.B. 2004) that would purport to verify dynamic and volatile information such as COVID-19 testing results, using a loosely interpreted application of the W3C’s Verified Credentials. We oppose this bill as a dangerous step towards immunity passports, second-class citizenship based on health status, and national digital identification. In this case, it’s not the specification itself that is the concern, but rather the use of it to justify creating a document that could cause new privacy hazards and exacerbate current inequality in society. Presenting whether or not you have been infected is a matter of privacy within itself, no matter how well thought out and secure the application used to platform it is.

When thinking about verified credentials, solutions to make personal information more portable and easy to share should not ignore the current state of data protection, or the lack of access to technology in our society. The principles of decentralizing one's information into their own ownership are completely related to, and contextualized by, privilege. Any application a government, company, or individual creates regarding identity, will always be political. Therefore, we must use technology in this context to reduce harm, not escalate it. 

Some potential uses of digital identification might create fewer privacy risks while helping people at society’s margins. There are ways that digital identifiers can respect privacy recommendations, such as in cases where people can use a one-time, static, digital document for confirmation, which is then destroyed after use. This can reduce situations in which  people are asked for an excessive amount of documentation just to access a service. This can especially benefit people marginalized by power structures in society. For example, some rental car companies require customers who want to use cash (who are disproportionately unbanked or underbanked people) to bring in their utility statements. A one-time digital identifier of home address might facilitate this transaction.  Likewise, government officials sometimes require a child’s immunization records to access family benefits like the WIC (Women, infants, and Children) nutrition program. A one-time digital identifier of immunization status might make this easier. These are examples of how verified credentials could improve privacy and address inequality, without culminating in a “true” decentralized identity.

The privacy recommendations in the W3C and mDL specs must be treated as a floor and not a ceiling. We implore the digital identity community and technologists to consider the risks to privacy and social equity. It can be exciting for a privileged person to be able to freely carry one’s information in a way that breaks down bureaucracy and streamline their life. But if such technology becomes a mandate, it could become a nightmare for many others.


Comments

Popular posts from this blog

EFF: No Digital Surveillance of Iranians at the U.S. Border—or Within the U.S.

EFF: Corporate Speech Police Are Not the Answer to Online Hate

Living on the (IT) Edge: Schneider Electric at HPE Discover 2018