Digital identity is at the heart of the challenges of the digital economy: it is well known that information giants and some other players in the system use a business model based on the possession of users' personal data.
However, the existing identity ecosystems have not yet adapted adequately to challenges such as privacy (GDPR), compliance with new anti-fraud regulations, or even the prevention of identity theft. Data protection related to privacy includes both the protection of the identity of the individual and the protection of personal data as a whole. However, in the digital world, this notion of privacy creates tensions between the need for anonymity in moving around digital systems or on the internet and the need for social space, dispute resolution and the reliability of justice. The challenge in the latter circle is that sovereign states find it difficult to enforce their laws on the data of their citizens and residents. It is therefore increasingly urgent to develop solutions that respect our values and culture, that protect the identity of individuals and avoid its usurpation and commodification.
But what are we talking about? Digital identity is a set of verified digital attributes (e.g. personal and biometric data) and credentials, similar to physical identity cards. It may include attributes such as unique identification number, social security number, name, date and place of birth, nationality, biometric data and others, as defined by national legislation. The digital representation of nationally regulated credentials can be very different: e.g. unique ID number-based, as in India, where the Aadhaar electronic ID-based system covers 1.3 billion people (99% of adults) and the official mobile app, available in 13 languages on Android and iOS, essentially acts as a virtual ID card. The digital ID can be used as a mobile ID in Finland or Estonia; as a card in Germany, Italy, Spain or Portugal. Programmes are being launched around the world to develop national digital IDs, many of which now include biometric data capture, mostly in the form of fingerprints. The countries of the Gulf Cooperation Council (GCC), which includes Saudi Arabia, the Emirates, Qatar and six other countries, launched their national e-ID programmes in the first decade of the 2000s, with the aim of making national e-IDs usable in all countries in the region and of making e-ID an entry point for services in the virtual world, not only in public services but also in market services. Most of the Gulf countries are also offering additional services: biometric identification, e-wallets for document storage, electronic payments, COVID cards, mobile apps, etc.
National eID systems in the European Union
The European Union launched its cross-border e-ID programme in the early 2010s with the EIDAS Regulation in 2014. However, the deployment of systems under the Regulation has been relatively slow: currently, 15 Member States have eID systems notified for common adoption, 19 in total (by 2020): FAS / eCards (Belgium) , itsme (Belgium), the National Identification and Authentication System (Croatia) , the Czech Republic's national ID, Estonia's eID scheme, the German eID based on extended access control, the SPID scheme (Italy), the Italian eID based on the national eD card, the Latvian eID system, the Luxembourg eID card, the Trust Framework for Electronic Identification (Netherlands), the Cartão de Cidadão (Portugal) , the national electronic identification system of the Slovak Republic, the Documento Nacional de Identidad electrónico (Spain) and the GOV. UK Verify (UK). In 2020, four EU Member States - Denmark, Lithuania, the Netherlands and Portugal - have announced new electronic identification systems. In addition, Germany has updated its notified system to include an additional eID tool.
Notification consists of three stages: a preliminary notification, followed by a peer review and finally a formal notification. The other Member States then have 12 months to accept users who identify themselves with the newly notified eID system. These systems cover the following key areas:
- access to highly secure and reliable electronic identity solutions,
- trusted and secure digital identity solutions on which public and private services can rely,
- enabling natural and legal persons to use digital identity solutions,
- linking these solutions to different attributes and allowing for targeted sharing of identity data, limited to the extent necessary for the service used,
- the adoption of qualified trust services in the EU and a level playing field for their provision.
Limited availability, fraud risk
Client Gateway users will be able to access government services in Hungary using their new type of card format ID card, provided they have a card reader connected to their computer. As with most national digital ID schemes, this type of trusted identification is used for government services, and digital IDs managed by various market service providers are much more vulnerable to fraud, including financial service providers that are generally considered trustworthy. Fraud masquerading as Authorised Push Payment (APP) is growing rapidly at up to 40 percent per year, with losses amounting to billions of dollars per year. According to Thomson Reuters, some major banks and financial institutions spend up to $500 million a year to comply with the most critical requirements for customer identification, Know Your Customer (KYC) and Anti Money Laundering (AML). KYC/AML requirements, which are mandatory for all banks and financial institutions, require them to maintain separate records to prevent money laundering, terrorist activities and identity theft. As regulatory regimes become more complex and rigid, compliance costs and the time required to meet them will continue to increase. The huge costs also highlight some of the inefficiencies in existing KYC processes, such as:
- duplication of KYC compliance work within and between financial intermediaries,
- inconsistent data between institutions and regulators, as keeping information up to date is a long and tedious process,
- the significant time and resources required for manual validation and coordination of processes.
Further development of EIDAS
The European Commission published a proposal for amending the eIDAS Regulation on 3 June 2021. The proposed amendment aims to establish a more harmonised approach to digital identification - thus contributing to the strengthening of the Single Market. The new points will allow citizens, other residents as defined by national law and businesses to identify themselves online in a secure, convenient and uniform way across the EU.
European digital identity wallet
The proposal introduces the concept of a "European digital identity wallet", which will, among other things, allow users to store data, credentials and attributes related to their identity, to transfer them to relevant third parties on request, to use them for online and offline authentication for services and to sign transactions with a qualified electronic signature. The use of the wallet should be free of charge for everyone and accessible to persons with disabilities. The wallet should be issued by (or on behalf of) a Member State or independently but recognised by a Member State. Offline use would be important in many sectors, including the health sector, where services are often delivered through face-to-face interaction.
Electronic identification systems
In order to have more electronic means of identification available for cross-border use, Member States should notify at least one "electronic identification scheme" containing at least one means of identification.
To guarantee unique identification, Member States should operate a system containing the minimum personal identification data necessary for the unique and permanent representation of an individual or legal person, a unique and permanent identifier in accordance with EU law, which identifies the user on request in cases where the identification of the user is required by law.
Cross-border use of digital wallets
Where an electronic identification using an electronic identification device requires authentication under national law or administrative practice for access to an online service provided by a public sector body in one Member State, the electronic identification device issued in another Member State should be recognised by the first Member State for the purpose of cross-border authentication of that online service, provided that certain conditions are met.
Qualified storage service
The qualified electronic signature storage service and the qualified electronic archiving service for electronic documents may be provided only in accordance with standards adopted by the Commission, by a qualified trust service provider using procedures and technologies that are capable of extending the documents. reliability of the qualified electronic signature beyond the technological validity period.
Electronic certification of properties
The current eIDAS framework does not cover the provision of electronic attributes, such as medical certificates or professional qualifications, which makes it difficult to achieve pan-European legal recognition of such certificates in electronic form. For this reason, the Proposal introduces electronic certification of attributes.
According to the Proposal, an electronic attestation of attributes cannot be denied legal effect and admissibility as evidence in legal proceedings on the sole ground that it is in electronic form. The certification of these attributes should have the same legal effect as a legally issued paper certificate.
New qualified trust services
In addition to the qualified electronic archiving service for electronic documents (as described above), the Proposal also introduces additional new qualified trust services, namely:
- Remote qualified signature creation device
A "remote qualified signature creation device" is a qualified electronic signature creation device where a qualified trust service provider generates, manages or reproduces electronic signature creation data on behalf of the signatory. Remote qualified electronic signature creation devices may only be managed as a qualified service by a qualified trust service provider that meets the conditions set out in the Proposal.
- Electronic ledgers
An electronic ledger is a tamper-proof electronic record that ensures the authenticity and integrity, date and time accuracy, and chronological order of the data it contains. An electronic ledger shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or does not meet the requirements for qualified electronic ledgers.
The qualified electronic ledger should enjoy a presumption of uniqueness and authenticity of the data it contains, accuracy of date and time, and sequential chronological order within the ledger. Electronic ledgers provide users with evidence and an immutable audit trail of the sequence of transactions and data records, ensuring data integrity. Although this trust service was not part of the impact assessment, it builds on existing trust services by linking the timestamping and sequencing of data to the certainty of the data issuer, similar to electronic signatures. This trust service is needed to prevent fragmentation of the internal market by defining a single pan-European framework that allows for cross-border recognition of trust services supporting the operation of qualified electronic ledgers. Data integrity, on the other hand, is very important for the aggregation of data from decentralised sources, for self-managed identity solutions, for establishing the ownership of digital assets, for recording business processes to verify compliance with sustainability criteria, and for the different use cases in capital markets.
SSI and eID
The concept of Self-Sovereign Identity (SSI), which appears in the EIDAS Regulation through electronic ledgers, is an emerging concept based on blockchain technologies and is linked to the way identity is managed in the digital world. With a focus on user-centricity, it aims to give users full control over their own identity without relying on any central authority. SSI principles are ubiquitous in the new proposal, but there is no clear regulation on whether the ESSIF, the European SSI framework developed under the European Commission's EBSI (European Blockchain Service Infrastructure) programme, will be the technological framework of choice for governments. Although this is still an open question, there can be little doubt that the technological answer to the multifaceted problems of electronic identification will come from the blockchain or distributed ledger technology (DLT) toolkit.
Blockchain as a solution
A blockchain is an immutable transaction ledger maintained by a distributed network of peer nodes (or peers). Each node maintains a copy of the ledger through transactions that are grouped into blocks validated by a given consensus protocol, and which contain a hash linking each block to the previous block.
Blockchain, as an advanced form of data storage and transmission, can be a secure and efficient way to store data used for KYC/AML compliance, whereby information collected by banks and financial institutions from customers is stored in a common blockchain. It can speed up customer registration and verification processes, drastically reduce the costs involved, and is well suited to the stringent requirements of regulatory reporting. Because all parties have access to the same information on the shared data network, there is no need to reconcile transaction records or data between companies, regulators and compliance officers. The information is already in the blockchain and is updated in real time or near real time.
A key benefit of using blockchain is that the information is stored in smart contracts that are immutable, secure and transparent. The use of smart contracts eliminates the need for third-party verification, and similar to the "if-then" command in an Excel spreadsheet, smart contracts are also programmed to operate according to specific instructions. By doing so:
- KYC/AML can be securely shared across departments and other financial institutions, rather than requiring multiple collections and verifications of user data.
- Various departments in financial institutions can obtain information instantly, drastically reducing operational costs.
- With digitally accessible information, financial institutions can provide a better user experience.
One example: the Verified.Me
While there are many promising developments in the EU, the need to share KYC/AML costs, reduce collateral costs and increase security has gone further overseas. Following research by the Digital ID and Authentication Council of Canada (DIACC) and Rutgers University, seven of Canada's largest financial institutions launched the Verified.Me blockchain-based privacy-centric digital identity verification network in 2019, which provides strong authentication along the SSI principles while protecting individuals' privacy. The system is based on the principle that Canadians manage their own sensitive personal information, and Verified.Me does not have access to users' banking details or credentials used to log into banks.
Figure 1: Example of Verified.Me being used to verify the identity of a leased application. Source: https://verified.me/
Enabled blockchain was the natural choice for Verified.Me because, while preserving the cross-sector and collaborative nature of the service, it is still necessary to verify who is participating in the network and the control process. The blockchain platform - in this case, the Hyperledger Fabric - provides the foundation on which modern digital identity services can be built with security and trust based on privacy.
In conclusion, digital identity solutions are necessary, they make life and operations of users and service providers much easier - but they can only be deployed optimally and risk-free within a proper regulatory framework and with appropriate user awareness!