One single app to rent a hotel room, prove your age, your educational, financial or health certificates, or to access digital public and private services? Sounds convenient? Well, it is. But if done wrong, it will be equally easy for corporations, authorities or even bad actors to create highly detailed profiles about yourself – spanning a vast area of your everyday life – or abuse this treasure of sensitive personal information in other ways.
We therefore urge policy makers in an open letter with 24 civil rights orgs, academics and research institutions to include the essential privacy and non-discrimination safeguards as well as proper protection against malicious actors.
Will the decision makers take care of their citizens and protect their sensitive data or will we end up with one of the biggest panopticons ever? The final decision is just about to be made in the crucial trilogue negotiations (between European Parliament, Council/Member States and Commission).
Who Knows What and Universal Identification
From visits to the doctor, to eGovernment interactions, banking, social media logins, public transport or proofs of age – the new digital wallet will penetrate almost all areas of our everyday lives. It is therefore crucial that no single party can centrally observe our interactions and link the information from all those areas. But what information will an individual party be allowed to ask from us? If not required by law, relying parties like government institutions, banks or event organisers should only be able to request very specific information from the wallet. This request for information must also be technically limited and rules governing the access to information in the wallet must be enforced properly. The bouncer at the club, for example, should only be able to verify your age and not access your name and address, let alone your recent medication or information about your bank loan. On the other hand, government services should not be able to track your hotel room bookings.
Even if those parties don’t have direct access to all your sensitive information, there is still a way to link your interactions and create a “super profile”: If everyone gets assigned a unique and persistent identifier, every bit of information about you can also be linked to you. In such a case, if, for example, an insurance company gets their hands on the data of a big online shopping platform, they will be able to link your shopping behaviour to their own information about you based on this identifier. We therefore strongly oppose the creation of such unique identifiers and urge policy makers to prohibit this huge threat to everyone’s privacy.
Update 28.06.23 – Good News!
The strong opposition to a unique and persistent identifier has been successful: The serial number for human beings has been removed in the political trilogue on 28.06. This is a huge win!
Unfortunately, GDPR certification of the wallet is no longer mandatory. We welcome, on the other hand, the data protection cockpit that will give users full transparency about the data they shared and enable them to request removal by the relying party (according to Article 17 GDPR).
Moreover, the establishment of an EU umbrella of the digital identity regulators survived the trilogue. This is, however, only a partial success, since it will only have coordination and advisory functions.
Proper Protection Through Proper Design
Today, in many everyday situations citizens can make use of their right to freedom of expression and freedom to conduct business in anonymity or pseudonymity. Only the proper design of the digital wallet can protect us from the constant threat of over-identification. Identification and a real name internet must not become the new norm and by no means render anonymity and the use of pseudonyms an exception. In situations where there is no law requiring identification, anonymity and pseudonymity must be upheld. That means the wallet must not force identification on its users where not required by law. Similarly, also proofs of personal attributes, like age, must be made without revealing your identity if the law does not require identification. This can be technically achieved with “Zero Knowledge Proofs”.
In other words: also the new digital identity wallet must adhere to the GDPR principles of privacy-by-design and privacy-by-default. It is neither fair nor sufficient to put all the burden on the shoulders of citizens. We’ve learned from shortcomings in the GDPR: informed consent by the (wallet) user is not enough, even more so considering the highly sensitive information in the wallet.
IT Security & Non-Discrimination
Speaking of ubiquity and sensitive information: In the letter we also highlight the high IT security risks that come with the strong centralisation of the sensitive data of millions of European citizens, since this will make for a lucrative attack surface. The vast spectrum of use cases also makes it a potential single point of failure to critical infrastructures.
Lastly, the wallet must not exclude or put those not using it at a disadvantage, especially senior citizens and low-income households. We therefore strongly advocate for a right to equal participation in society across the digital divide. The European Parliament has already followed us in this regard and we urge Council to do the same.
Eventually, the success of the new digital identity wallet will depend on the trust users place in it. With the proper legal and technical safeguards it still has the potential to become a ubiquitous platform for digital interactions that actually serves us by respecting our fundamental rights and preserving privacy.
Read the letter here.