In this article we will discuss the ins and outs of privacy for a digital identity solution, but first we will introduce the key components of a digital entity
which can be written as an equation:
digital identity = f(identification, authentication, …). We will also answer
the following key questions:
- What are the parameters of the Web 4.0 connected world?
– the new data business model;
– the end user request: convenience and trust for continuous
identification/authentication;
– the legal parameters (probative value, regulations, supervising
and inspection authorities). - How does the digital ID equation solve some of the ‘big bang data’
privacy issues?
First of all we will analyse the privacy aspects of some important identity management solutions with and without smartcards, such as issuer-centric, user-centric, federated identity and private single sign-on solutions. Then we will underline the challenges we need to overcome in order to guarantee privacy in any future identity management solutions. Afterwards, we will try to answer the following questions: How can Attribute Based Credential solutions help solve the equation while preserving privacy? And what about Self-Sovereign IDentity (SSID) based on the blockchain?
What is a digital identity?
Before tackling privacy issues related to identity management, we will try to answer the first question: What is digital identity today? Identity is first of all natural and is usually considered an aggregate of components defining the person beyond being a member of humanity. Going forward we will discuss identity as a legal concept. According to Article 6 of the Universal Declaration on Human Rights: “Everyone has the right to recognition everywhere as a person before the law.”[1] In order to guarantee rights on a national level (the right to vote, the right to security, etc.) governments have established national identity solutions using national ID cards or resident cards. To enable cross-border recognition of national identity, interoperable solutions have been implemented on an international level (see Box 1). However, the system is not perfect. The United Nations estimated that roughly 1.5 billion people have no legal identity and over 60 million are stateless and/or refugee – a number set to increase due to climate change and political and economic crises.
In parallel to the world of sovereign identity, a new digital world has evolved where people have different ‘personas’ in the public sphere (e.g. Twitter), the professional sphere (e.g. LinkedIn), and the private sphere (e.g. Facebook and Amazon). The way personal information is shared differs between these digital spheres.
And this new digital world is growing as more and more physical devices communicate with each other using the ‘Internet of things’ (IoT). The big data generated by connected devices will boost the implementation of artificial intelligence. As a result the digital identity of a physical person will have to be linked to the extended notion of Personally Identifiable Information (PII) as defined by the ISO/IEC 29100 standard. PII is any information that (a) can be used to identify the PII principal (i.e. the data subject) to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal. To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.
However, the digital identity does not only concern physical persons but also legal entities which want to protect their confidentiality and secrecy related to their various data assets (intellectual property, technical know-how, commercial data, business data and human resources data). And robots will probably have an identity soon too, if we consider the European civil law project on Robotics.[2]
In a nutshell, the digital identity serves to manage all potential different identity profiles (personas) and personal data of one entity; each profile can be defined as a set of attributes identifying the entity.
What parameters should be taken into account in the Web 4.0 world?
In today’s Web 4.0 digital world, the digital identity is associated with the commercial value of PII. In exchange for the premium free access to online services, service providers propose Service-Level Agreements (SLA) that authorise them to use direct personal data or indirect data (such as metadata) in any way they want, with the objective of adapting services, products or even prices to their customers’ profiles.[3, 4] That is why every entity faces the key question: How do I manage my different personas and connected ‘personal data’ while preserving my privacy at the same time?
New laws have been drafted to give users the control over their data while ensuring data can flow freely. The paradigm is further changed as new regulation holds data processors accountable for privacy protection and even subcontractors may face sanctions (see Box 2).
Privacy protection compliance is not limited to security measures for end-to-end confidentiality, integrity and availability. Key concepts of such regulations are derived from the eleven principles of the ISO/IEC 29100 standard (see Figure 1).
Privacy by Design
A Privacy by Design approach for legal compliance and user trust for digital ID solutions should take into account the principles listed in Figure 1, but also consider the following:
- a user-friendly design for a seamless digital experience, in particular through the usage of mobile devices;
- a digital ID model design which can be trusted by private or public entities that require legal proof for compliance and Know-Your-Customer processes, for example in case of payments. Examples are the European DSP2 directive which will enter into force in January 2018 and the AMLD4 directive against money laundering and terrorism.[5, 6]
What is the relation between the digital ID equation and the ‘privacy big bang’?
Analysis of some main existing identity management solutions
To solve the digital ID equation with this privacy big bang, we should first scrutinise the various digital ID models. They are described in the FIPS 800-63-3 standard (see Figure 2).[7] Two different steps are considered:
- identification through identity proofing during the enrolment phase to create confidence in user identities; and
- digital authentication to prove the validity of one or more credentials used to claim a digital identity with the related Level of Assurance (LOA).
See Box 3 for a comparison of the US and European ID models.
The digital model described by sovereign entities is not required for all services. For many private services, enrolment does not require identification using reliable and validated identity proofing and the service only requires trusted authentication. The authentication may involve a convenient single sign-on solution avoiding the need to get online and enter multiple passwords.
For instance, the FIDO alliance achieves this objective using open FIDO protocols that provide online trust and interoperable authentication with FIDO authenticators (UAF or U2F) while preserving privacy and anonymity.[8] The FIDO protocol is very successful with the adoption of the FIDO Plug-In by GAFA (Google Apple Facebook Amazon). But two FIDO pitfalls remain: the lack of strong authentication in relying party processes – in Europe qualified website authentication certificates are required for DSP2 implementation and identity proofing. This is why FIDO is working with Yubico [9] to create solutions that extend FIDO with federation protocols and build an ID proofing engine with open source reference implementation such as OpenID Connect. But this presents FIDO with a new challenge: the loss of privacy that federation and identity proofing solutions involve.
As a rule of thumb, a Privacy by Design approach for identification and the overall federation of identity is far more tricky than pure strong authentication that can be done anonymously and locally while using both secure authenticators (e.g. with Match On card solutions) under the sole control of end users, and zero-knowledge proof secure messaging with the relying party. For the validation of the identity proofing (with the relevant LOA), the enrolment step used to be performed by a sovereign identity which at the same time acted as the Credential Service Provider (CSP) to deliver the related ‘credential’ firstly in the form of a physical secure ID document, and since a few decades as an electronic credential stored within a cryptographic container such as a secure machine readable code or a secure element on a sovereign document with PKI back end (e.g. an ID card, resident card, driving licence or passport).
Three ID models
- The centralised inherently secure ‘issuer-centric’ model has the main drawback of government control, which a user might not accept for private use
(see Box 4). - The issuer e-ID model has now evolved into a mobile ID or pure virtual ID, with not only sovereign entities as CSPs, but also private companies such as banks (e.g. bank ID in Sweden [10]), pure private players such as telecommunications operators (e.g. Mobile Connect by GSMA[11]), or credentials stored either in pure cloud solutions or within the mobile device (see Box 5).
- In Europe, a sovereign ‘user-centric’ solution has been implemented in Germany based on the PACE protocol that has a ‘privacy by default’ feature which uses sectorial pseudonyms and has the advantage of storing attributes rather than credentials (see Box 6).
Each of the three identity models discussed in Boxes 4, 5 and 6 allow credentials to be stored using strong authentication based on reliable sovereign ID proofing, but were designed with inherent privacy issues and/or offer non-ubiquitous implementation for a private services extension. In parallel, federated identity solutions with single sign-on solutions for public and/or private use have emerged in countries that do not issue national ID cards.
The article ‘Toward Mending Two Nation-Scale Brokered Identification Systems’ compared the Verify-UK with the FCXX US federation solution and concluded there was a “serious danger to citizen privacy and more generally, to civil liberties” due to the fact that such hubs are able “to profile users in respect of their interactions across different service providers.”[12] (See Box 7).
How can the digital ID equation 4.0 be solved and how can Attribute Based Credentials solutions solve part of it while preserving privacy?
The most recent draft of the NIST document SP-800-63 part C focuses well on the privacy risks of using federated identity for tracking and profiling subscribers and/or attributes and the need for technical blinding measures to provide unlinkability for federation proxies.[13] (See Table 1).
The European ENISA guideline ‘Privacy and Data Protection by Design – from policy to engineering’ which was published in December 2014 has also warned us of this critical privacy issue which makes the Identity Provider (IdP) “the spider in the web for all identity-related transactions” due to authentication log trails (even if related to crypto pseudonyms) and the high cyber risk of eavesdropping on the authentication and attributes exchange communications.[14] We can safely deduce that the eIDAS implementation act 2015/1501 which is persistent in requiring a unique identifier for cross-border identification, may become a significant obstacle to the extension of federation implementation with national e-ID schemes to private applications for which such an identifier is illegitimate nor appropriate.
As an alternative to a fully compliant Privacy by Design solution, ENISA was encouraging the implementation of triple-blind federation based on Attribute Based Credentials (ABC) “to put the user central to all transactions related to its identity” and “allowing unlinkability for subscription and for any attributes of the user”. A new set of standard requirements of ABC is in preparation under ISO/IEC SC27/WG5[15] based on the learnings from the European ABC4trust study[16].
ABC solutions do not only allow Privacy by Design compliance but also:
- provide probative value (related to a LOA) and revocation updates, which are required for remote and peer-to-peer payment applications under the DSP2 and AMLD4 directives; and
- enable independent inspections for dispute resolution in private usage, and for satisfying specific sovereign requests if required. The role of inspector can be performed by several entities while ‘sharding’ prevents intrusive and uncontrolled inspection.
After the first two ABC pilots and research studies (Uprove, based on the single use of credentials[18]; and IBM’s Idemix, based on zero-knowledge proof solutions that allow the use of one credential several times[19]), triple-blind models are more than just theory today. The French company Ævatar.coop is developing a full Privacy by Design digital ID solution which includes an ABC backend infrastructure for real industrial use case applications such as payments and access control.[20] In Canada the Digital ID & Authentication Council of Canada (DIACC), SecureKey and IBM are working on a triple-blind solution for a digital ID network for both identification and authentication.[21] Both Ævatar.coop and DIACC are working on user-centric decentralised identity solutions (with no database), not only based on ABC and a triple-blind back end for full privacy compliance, but also with a trusted distributed ledger or permissioned blockchain. The decentralisation helps increase user trust and provides a smooth user experience on mobile devices while the user retains full control over their data and choice of IdP according to the LOA required by the Verifier (the Service Provider).
These innovative approaches are on the same wavelength as the ID2020 model which is based on SSID with blockchain.[22] This would create an inclusive digital economy solution for basic services with governance and accountability features against corruption, terrorism and money laundering while organisations benefit from the global growth of the digital market (see Box 8).
Conclusion
In conclusion, SSID and the use of blockchain for digital identity will be the future as soon as standards and related legal framework have matured enough for sovereign acceptance, and relying parties have sufficient confidence in the governance for probative value and legal proof in case of disputes. In the near future, the triple-blind architecture based on ABC will become a trusted relevant architecture for all parties (users, the public and the private sector) as it meets the expectations users have of a privacy-preserving 4.0 digital identity.
References
1 Universal Declaration of Human Rights. http://www.un.org/en/universal-declaration-human-rights/
2 Draft Report with recommendations to the Commission on Civil Law Rules on Robotics (2015/2103(INL)). (2016).
3 Zuiderveen Borgesius, F.J. and Poort, J.J. (2017). Online Price Discrimination and EU Data Privacy Law. Journal of Consumer Policy, Vol. 40, No. 3, pp 347-366.
4 Pandey, R. (2017). Facebook Uses Data from Onavo to Track Apps and Services Which People Use. iPhone Hacks, 14 August. http://www.iphonehacks.com/2017/08/facebook-uses-data-from-onavo-to-track-apps-services-people-use.html
5 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/ 110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L2366&from=FR
6 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/ 2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC. http://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32015L0849 [Accessed 1 October 2017].
7 NIST (2017). Digital Identity Guidelines. https://pages.nist.gov/800-63-3/
8 Fido Alliance. https://fidoalliance.org/
9 Chong J. (2017). FIDO, ID Proofing and Federation. Webinar slides on https://fidoalliance.org/wp-content/uploads/FIDO-U2F-Federation-ID-Proofing-FIDO-webinar-Aug-2017.pdf
10 BankID. https://www.bankid.com/en/
11 GSMA Mobile Connect. https://www.gsma.com/identity/mobile-connect
12 Brandão, L.T.A.N., Christin, N., Danezis, G. and Anonymous. (2015). Toward Mending Two Nation-Scale Brokered Identification Systems. Proceedings on Privacy Enhancing Technologies, 2015 (2):1–22. http://www0.cs.ucl.ac.uk/staff/G.Danezis/papers/popets15-brokid.pdf
14 ENISA (2015). Privacy and Data Protection by Design: from policy to engineering. https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
15 ISO/IEC AWI 27551. Information technology – Security techniques – Requirements for attribute-based unlinkable entity authentication. https://www.iso.org/standard/72018.html
16 ABC4Trust: Attribute-based Credentials for Trust. https://abc4trust.eu/
17 Veseli, F., Camenisch, J. and Lindstrøm Jensen, J. (2014). D8.13 Reference Implementation for Standardization V2. ABC4Trust.
18 Camenish, J. and Van Herreweghen, E. (2002). Design and Implementation of the idemix Anonymous Credential System. Proceedings of the 9th ACM conference on Computer and communications security, pp. 21-30.
19 Brands, S. (2000). Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Cambridge, USA.
20 https://aevatar.com/
21 Jordan G. (2017). Episode 160: Why new approaches such as blockchain are needed to solve digital identity. Secureidnews, 11 April. https://www.secureidnews.com/news-item/episode-160-why-new-approaches-such-as-blockchain-are-needed-to-solve-digital-identity/
22 ID2020 Digital Identity http://id2020.org/digital-identity-1
Nathalie Launay works as an independent NTIC consultant and has 17 years’ experience in smart card and identity businesses. She is a certified smartcard industry professional and is an acknowledged expert in security and privacy. During 2017, Nathalie was a member of Ævatar.coop, a self-sovereign identity management platform which mission it is to help people build and protect their digital identity, and has represented this platform as an expert at the ISO TC307 Blockchain Identity SG. At the end of 2017 she was certified as a Data Protection Officer by Veritas.