This article explores new digital solutions for sharing personal information securely when moving abroad. It was written as part of ACROSS, a research project funded by European Commission. ACROSS aims to improve data exchange between cross border service providers in the EU by prioritising citizens’ privacy.
In the non-digital realm, law and protocol may be challenged – a police officer or judge may use their discretionary space to decide that it was okay for you to break into your neighbour’s house to save their kitten from a fire. But code is a command – one cannot challenge it, as changes need to be implemented through technical design. 'Sign says no' is much different than 'computer says no.' This is a fundamental and problematic difference between law as we are used to it and law as it is enacted through code and digitally-mediated protocol: When rules are defined through digital protocol, people lose agency to decide whether or not to follow law or protocol, even in cases where the law or protocol is unsafe, inhumane, or unjust. (The idea that code is not neutral and can in practice become a surrogate for legislation without an actual democratic mandate behind it stems from Lawrence Lessig’s various writings on the notion that ‘code is law.’)
The nuanced differences between digitally-mediated protocol and human-mediated protocol need to be carefully considered in light of the rapid adoption of digital systems that manage processes involving human rights, personal privacy, and identity.
European Digital Identity
Europe is developing a European Digital Identity in which EU citizens, residents, and businesses will be able to use a digital wallet to identify or provide certain pieces of information about themselves using attribute-based credentials (ABCs). In this case, a ‘digital wallet’ broadly refers to an app that locally stores credentials, both identifying and non-identifying. Attribute-based credentials are a mechanism to “selectively authenticate different attributes about an entity without revealing additional information about said entity.” This allows a user to selectively prove an attribute (for example ‘age > 18’) to a verifying party without revealing any additional information, as explained by Privacy Patterns.
Attribute based credentials (ABCs) in digital wallets could potentially be leveraged to promote a greater level of user control over one’s own personal data and digital identity. ABCs are central to the eIDAS digital wallet precisely because they can technically enable data minimisation and more granular consent regarding personal data sharing. But despite the potential benefits of ABCs in a digital wallet, there are also valid concerns about their capacity lead to unintentional and undesired consequences.
Over-identification, function creep, and discretionary space
In the blog Civil Liberties Aspects of the European Digital Identity Framework, researcher Jaap-Henk Hoepman lays out a number of considerations regarding the implementation of digital wallets within the context of the eIDAS regulation and notes several ways in which implementation could infringe upon civil liberties, in particular as a result of over-identification.
Function creep is one manifestation of over-identification. It refers to the phenomenon whereby as a technology (in this case, a digital wallet) becomes more ubiquitous, people will be compelled to use it more regularly. As Hoepman writes;
"The end result is that the use of wallet becomes mandatory in the daily life of a citizen, and that she has to prove certain properties about herself in a context where this is currently deemed unnecessary. Instead of increasing the privacy of the citizens, this function creep actually creates more opportunities for tracking and profiling."
Function creep is a serious issue facing European digital services, because the types of credentials that are developed and used in an international context are often highly personal or sensitive. Imagine that a credential of EU citizenship is created. There are certain contexts when such a credential would be relevant and appropriate to request and share, such as when a person meets a border agent while physically moving from one country to another. In this case, there is a risk that this primary function will creep into other areas and thus infringe upon civil liberties; for example, if proof of citizenship is requested at the library, on the train, or in any context other than where strictly necessary.
A lack of discretionary space can also lead to over identification and otherwise threaten human autonomy. Discretionary space has various forms. It may refer to an authority’s capacity to override certain categories or deviate from protocol when deemed necessary. Discretionary space may also refer to a person’s capacity to choose what information they share; the level of specificity with which they choose to share it; and whether or not they are truthful. Wallets and ABCs limit discretionary space by design – they are built to enable provable attestation – and thus may also limit one’s capacity to “bypass overly restrictive access conditions."
Consider various activities that were once illegal and required social justice movements in protest of laws, such as same sex and interracial marriage and abortion rights. These social movements went through phases where people had to make use of discretionary space where people must first ‘technically’ break the law in order to change the law. Discretionary space may also need to be utilised in emergency situations, like the example of saving a cat from a fire, or in a situation where someone needs to drive over the speed limit to get to a hospital. In this instance, discretionary space would be technically and mechanically limited if the car’s intelligent speed assistance did not allow it to go faster than the speed limit, posing a danger to the person with an emergency.
In the case of a person who is managing their digital identity internationally, there are numerous ways in which they may want or need to exercise discretionary space in order to protect themselves (all of which we cannot predict): for example, hiding or misrepresenting their sexual orientation to a border officer by lying about their marriage status; or making use of an alias/pseudonym to protect their identity or nationality in a wartime situation.
One potential response to such concerns is that exceptions may be made whereby a technical system allows for an ‘override’ in specific situations, like those mentioned above. The problem here is that there are a multitude of potential cases in which over-identification via function creep or lack of discretionary space will pose problems, and again not all of these cases can be predicted. Such an approach also shifts the agency to exercise discretion from the person who finds themselves in a situation to coders and developers who are otherwise removed from that situation. Furthermore, in digital services, consent (to follow a protocol or share personal information) is a binary concept: a 0 or 1. And whether the consent was coerced in any way cannot be judged.
Recommendations for policymakers and developers
For developers in general, some defences against the dangers inherent to ABCs in digital wallets are to thoughtfully implement certain types of credentials; to implement and enforce guidelines for requesting credentials; and to ensure that use of a digital wallet is not required for access to basic, necessary, or citizen services.
- Thoughtfully implement certain types of credentials – In many cases, a thoughtful implementation of certain types of credentials can help to protect rather than threaten civil rights. A previous example mentioned that a person may be compelled to share their actual name via a verified credential. While this could occur (e.g., a government could provide a credential attesting that your name belongs to you), we could also imagine a credential in which people are provided with a pseudonym that is tied to other credentials. For instance, when a name is optional, a wallet could allow a person to make up a name to be used (and stored in the wallet) for a particular service provider (e.g., they could ‘lie’ about their name to a housing agency but prove that they meet the rental requirements nonetheless). This facility could be applied to other cases where optional attributes are at play, typically in conjunction with an attribute that is verifiable.
- Implement and enforce guidelines for requesting credentials – The (type of) service provider and the context of the transaction may restrict the attributes that can be requested. This involves a schema of such restrictions, as well as a mechanism in which the requester’s authorisation to request certain attributes is validated. For example, the Dutch ‘civic service number’ can only be legally used (and thus requested) by government agencies or health care service providers. As another example, a border agent may have the right to verify a person’s nationality, but a housing company would not. This implies that such requests would be bi-directional, where the service provider reveals certain attributes about themselves (e.g. to prove that they are a border agent) and thereby asserts their right to request a given attribute from a user (such as nationality).
- Ensure that use of a digital wallet is not required for access to basic, necessary, or public services. To do so excludes people, for example with those with lower levels of digital literacy, those who do not have access to a computer or smartphone, or those who otherwise choose to not use such technology. The Single Digital Gateway Regulation has the basic principle that services must be available online, but there has to be an alternative to the EU based technical system. ("Article 14.4. The use of the technical system shall not be obligatory for users and shall only be permitted at their explicit request, unless otherwise provided under Union or national law. The users shall be permitted to submit evidence by means other than the technical system and directly to the requesting competent authority."). This seems like a good policy model: offer, but do not coerce, and provide an alternative.
ABCs in wallets are a great opportunity for a considered, privacy-preserving approach to identity and authentication, and as such offer the right approach for many of the challenges faced by the emerging European Digital Identity framework. They are, however, also emerging technologies, the nuances of which are still being discovered. As with any technology, bad or mistaken design choices can undermine or weaken the advantages, and it is always prudent to guard against an overly optimistic belief in technology.
This blog is an adapted excerpt from the forthcoming deliverable D2.4 ‘Report for cross border services gap analysis – Final’ in ACROSS. ACROSS is co-funded by the European Commission’s 2020 research and innovation framework programme under project reference number 959157.