EID And SSI Technology: Privacy Risks And Discrimination Against Citizens?
In addition to the enormous advantages offered by SSI, it is also important to bear in mind that there are dangers lurking for citizens with the digitization of identities. Critics present very valid arguments against the widespread introduction of this technology in society. At this point, I will address these points.
How they can be reduced with appropriate technical and legal measures
In the last two years of intensive study of Self-Sovereign Identity (SSI) I faced many critics despite to the advantages the technology offers over today’s familiar identification and certificate issuance options. They argue unexpectedly strongly with concerns about privacy and surveillance over citizens, ironically the very issues SSI seeks to resolve. Undoubtedly, the criticisms are valid and require closer examination to determine what measures should be derived from them. Since the eID is to be built on the basis of this technology, it is enormously important that consensus is created. How this is achieved I will deep dive in this blog.
In short: what is SSI?
With Self-Sovereign Identity, each individual manages their own third-party issued documents and certificates, called credentials. These can be a state identity (eID), a driver’s license, a settlement permit, a university degree, a tennis club membership, a purchase receipt, etc., stored in digital form on an app (wallet) on the smartphone or similar electronic device in the sole possession of the individual.
The credentials are issued for a globally unique identifier, for example a decentralized identifier (DID), which the wallet manages and which are stored with a unique verifiable digital signature by the issuer. The issued documents can thus be checked electronically for legitimacy. It is not possible to copy, forge or modify the contents, as the signature would expire and the fraud would be uncovered.
What can SSI achieve?
Basically, SSI wants to achieve the following:
Personal data is stored only on the electronic device of the applicable person. The person decides for himself with whom he wants to share data. A central entity that manages the identities (e.g. Google, Facebook, Apple, Samsung) is no longer necessary.
Verifiers can verify credentials with one hundred percent certainty because of the digital signature. Document forgery is no longer possible.
Since the credentials are only stored locally on the phone of the citizen, interaction with the credential issuer is not necessary for verification.
A wallet app can create any number of globally unique identifiers. Each credential can be linked to a different identifier, so that a profile of a specific person cannot be created on the basis of different verified data.
Within a few seconds, a credential can be created and transferred to the owner.
If the wallet is lost, the credentials can be revoked immediately, so that any previously issued documents lose their validity.
SSI thus aims to place the owner of an identity at the center of all activities and to ensure the highest possible level of data protection.
Additionally: Due to the globally unique identifier, SSI allows accounts to be created on the Internet for which neither an e-mail address nor a password are required. The uniqueness and thus assignability to an identity are regulated by the identifier. Remembering passwords and logging in using an e-mail account will be a thing of the past (see also FIDO2 technology or SIOPv2).
Valid arguments of the critics
In addition to the enormous advantages offered by SSI, it is also important to bear in mind that there are dangers lurking for citizens with the digitization of identities. Critics present very valid arguments against the widespread introduction of this technology in society. At this point, I will address these points.
Overidentification
Digitalization makes it possible to store and analyze data with much less effort than before. This is also the case with SSI. Service providers such as online stores, fitness centers or other everyday services have a great incentive to force holders to present the eID, since the verification effort will suddenly be very low, unlike with the physical identity card.
State-issued identities are extremely valuable
eID data is extremely valuable because it is authentic and state-verified. With the threat of identity coercion, third parties receive valuable data and thus become targets of attacks or can resell the data.
Facial images as part of the digital identity
How can you ensure that the holder of an eID is actually the person it claims to be? The facial image is an important component for unambiguous identification and is therefore part of the eID. In order to be able to make a clear match in a KYC process, the holder must release the contents of the eID together with the image. Verifiers will therefore possess the facial images in digital form in the future.
Account login mechanism with the eID
Many websites provide the option of logging in with Google, Facebook or similar (so-called identity providers) and appearing as a “federated identity”. While undoubtedly practical, they pose a major privacy problem, as activities on the web can be attributed to individuals. Such a practical and efficient login mechanism using the eID could become the standard. As mentioned above, digital service providers benefit from valuable government-verified information.
Law does not protect citizens enough
The introduction of the eID comes at the same time as a new law, in Switzerland the BGeID. While currently still in consultation, the first draft is still clearly not protective enough because the reference to the Data Protection Act is not sufficient. Specifically:
It refers to the need for private and public interests when requesting the eID, but does not specify when such an interest exists.
The citizen does not have the right to object (opt-out).
The linkage prohibition of further data (correlation) is not explained in detail.
Another problem arises for citizens when legislation is not coordinated across countries and data protection is not observed equally. Digitization is only weakly aware of geographical and legal boundaries, which is why citizens are exposed to risks in the digital space.
Discrimination and control efficiently implementable
With digital identity, discriminatory supply management of services or products can be implemented efficiently. Certain educational channels could be withheld from certain ethnic groups. There is currently a political debate in Switzerland about age verification for various content on the Internet.
Security gaps in the older generation of cell phones and negligent handling
With the eID, the identity is stored on the electronic devices. As with eBanking, security standards are prescribed for this to ensure the best possible protection for the user. Not all cell phones can comply with these standards.
Correlation issues by unique identifiers
Several global unique identifiers can be used to correlate activities of citizen. This may be an identifier of the software wallet, the decentralized identifier mentioned above, a specific index in the revocation registry or the signature of a specific credential, when used several times.
Status quo is not a solution
Despite the risks that an eID entails, the status quo is not a solution. The loss, inadequate protection of personal data occurs every day today and the verification in the KYC process is time-consuming and cost expensive for companies. Examples:
My bank lost the copy of my ID when I opened a new account. It can no longer be found. Who has this copy now? Where is it used?
The KYC processes to open a bank account or similar take several days. A lot of forms have to be submitted and signed.
Job references or training certificates can be easily falsified.
Today’s verification process is very error-prone, inefficient and not fraud-proof. Obtaining documents from third parties takes several days and costs money. It is very easy to obtain services using someone else’s identity. Personal information data of citizens are stored in many centralized systems, making it vulnerable for hacking and data breaches.
Even in the case of legal entities, a clear and verifiable identity such as the tax number is necessary, for example, to check the authenticity of invoices and account details before a payment is made. Very often, entrepreneurs fall victim to fraud schemes because the identities of business partners are not securely verified.
Additionally, in the international trading business a lot of certificates and import declarations must be shared and verified. This process takes a lot of time, which results in delayed shipments and increasing costs for companies.
Mitigate dangers
The dangers that have been pointed out are justified and must be taken seriously, and all precautions must be taken to minimize them in order to protect the citizen. At this point, I will show measures that help to ensure that SSI and the eID bring benefits for all. They consist of a mixture of legal and technical aspects. It is worth referring to the EU-wide eIDAS Regulation, which has already regulated a great deal on this topic.
Strict eID, data protection and anti-discrimination law
In Switzerland, the Federal eID Act (BGeID) is currently being drafted, which in principle allows a good balance between mandatory legal requirements and openness for the development of decentralized ecosystems. However, tightening is needed at the following points:
There is a lack of clear regulation under which circumstances an eID may be required. The “Schweizerische Anwaltsverband” demands that verifiers may only demand the eID “… if and insofar as this is necessary to fulfill a legal obligation”. This would prevent an unnecessary demand for the eID in everyday life. eIDAS addresses this issue by requiring verifiers to register and report all data they want to collect. I very much support this approach but in the interest of reducing bureaucracy it needs to be limited for all credential issued by government agencies.
It must also be added to the law that non-discriminatory access for people without an eID is guaranteed at all times.
For low Level of Assurance (LoA) cases (e.g., when only age needs to be confirmed), an ID using Zero Knowledge Proof (see below) must be sufficient.
Right of withdrawal at any time, as provided for by the GDPR law in the EU, must be prescribed by law.
BGeID refers to the Data Protection Act, which, however, requires adjustments for handling in the digital space.
Currently, there is no explicit anti-discrimination law in Switzerland, which is repeatedly demanded by various bodies after the publication of studies on the legal effectiveness of the existing provision. With the spread of SSI technology and the possibility of more efficient monitoring of individuals, a tightening of non-discriminatory treatment in the digital space should be discussed.
Non-repudiation approach and independent reporting office for violations
To strengthen the enforcement power of the law, the so-called non-repudiation approach is mandatory. It enables the retrieval of data from the verifiers themselves to be given a digital signature. This means that in the event of a dispute, a citizen can prove that a possible breach of data protection regulations has occurred. An independent ombudsman’s office that records provable violations enables legal prosecution. An open rating system can proactively alert citizens to privacy concerns with specific verifiers.
Extended use of technologies such as ZKP
Third, it must be determined which data may be verified and stored and how. Here, the so-called ZKP technology plays an essential role, with which evidence is shared without sharing the content, for example, that a person is over 18 years old without disclosing the date of birth. In this respect, only parts of documents can be shared selectively using ZKP without disclosing the entire document (Selective Disclosure). Even the unique identifier will be anonymized, so that in no case profiling will be possible using the shared data. By law, criteria must be determined with which ZKP represents sufficient proof.
Safety standards
It must be ensured that globally valid security standards are defined for the wallets. The European Commission released, based on the eIDAS regulation, an Architecture and Reference Framework for an European Identity Wallet on February 10 2023. I want to point out the most important measures and add others:
Each credential can be associated with multiple identifiers that are not yet in use. Each time the document is presented, one random linked identifier is used, making profiling almost impossible.
The identifier itself of the holder is never stored publicly (for example on a blockchain).
Regular exchange of security keys (public-private key pair) helps prevent identity theft. Additional advanced backup capabilities allow to restore access in case of loss or compromise.
The security keys are stored in so-called Secure Enclaves (SE) or similar according to the latest standards and are thus encrypted and not readable by third-party applications and the OS such as Apple and Android.
Biometric data such as Face ID or fingerprint, also stored in the Secure Enclave, must be queried repeatedly, for example, when the wallet is opened AND when data is transferred to verifiers. This prevents unauthorized persons from misusing data if the electronic device is lost.
Optional Custodial Wallets
Technically, managing wallets and complying with security rules is not a simple undertaking for any citizen. Therefore, third-party entities such as banks or insurance companies will provide so-called custodial wallets (either as a cloud service or as an app) and take over the wallet backup administration for the holders. This enables faster acceptance and adoption and helps prevent data loss.
Custodial wallets, to the extent that it goes beyond just a backup function, are fundamentally at odds with the goals SSI is trying to achieve, as the wallet provider theoretically has visibility into all of the citizen’s activities. Therefore, such types of wallets must be provided with the strictest privacy rules.
I am not yet aware of any solution to the danger of digital facial image transmission. I welcome suggestions on how to address this issue.
Pascal Gottret is a digital identity advocate working to contribute towards the discussion on citizen first identity that can preserve privacy and rights within Switzerland. You can follow more of Pascal’s writings on his medium blog here.
