Cross border e-Identification – WS 07 2022
You are invited to become a member of the session Org Team! By joining a Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the mailing list to join the Org Team and answer the email that will be send to you requesting your confirmation of subscription.
In this session we will focus on the different aspects of the cross boarder data flow, what are the challenges for various stakeholders.
Europe is looking for greater trust and transparency between the various stakeholders involved and the criteria under which governments should have access to personal data held by the private sector. Will Europe find a solution even without a Snowden-like case? What are the innovative and inclusive solutions to cross-border data sharing in national security and law enforcement contexts?
What are the requirements and restrictions of cross-border e-Identities? What challenges have to be faced by various stakeholders? What technical solutions for cross-border data verification are there available at the moment which can be of a practical use? What is the experience and lessons learned from a cooperation of TLD managers from different European countries in granting access to the digital identities of their customers outside the home countries?
The session will be held online only, allowing for active participation and debate. There will be up to 3 introductory speakers, and a moderated discussion among all participants.
- eIDAS revision: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0281
- latest amendments proposed by the EU parliament: https://eur-lex.europa.eu/resource.html?uri=cellar:e0649735-a372-11eb-9585-01aa75ed71a1.0001.02/DOC_2&format=PDF
Please provide name and institution for all people you list here.
- Regina Fuchsova
Focal Points take over the responsibility and lead of the session organisation. They work in close cooperation with the respective Subject Matter Expert (SME) and the EuroDIG Secretariat and are kindly requested to follow EuroDIG’s session principles
Organising Team (Org Team) List Org Team members here as they sign up.
The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.
- Sivasubramanian Muthusamy
- Fotjon Kosta
- Marjorie Buchser, Chatham house
Her research interest focuses on innovative and inclusive solutions to cross-border data sharing in national security and law enforcement contexts. Bio: https://www.chathamhouse.org/about-us/our-people/marjorie-buchser
- Georgia Osborn, Oxford Information Labs
She is a Senior Research Analyst with experience within counterterrorism and law enforcement, intelligence analysis, investigations and policy analysis. Bio: https://oxil.uk/about/
- Jaromír Talíř, CZ.NIC
He is responsible ea. for mojeID authentication service. Bio: https://www.nic.cz/page/352/management-team/
- Hans Seeuws, External relations manager EURid
Was at the birth of EURid´s data verification project and will highlight the pros and cons of the various methods for cross-border verification purposes. Bio: https://eurid.eu/en/welcome-to-eurid/corporate-governance/
Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.
- Regina Filipová Fuchsová, Industry Relations Manager at EURid, the .eu registry
Bio: Regina joined EURid, the .eu, .ею and .ευ registry, in 2007 as the Regional Manager Central Europe based in Prague, the Czech Republic. Her responsibilities included business development and registrar relations areas. Recently, she took over the role of the Industry Relations Manager. Previously, she worked at the Czech NREN Cesnet as the Deputy Director for Economic Affairs. She holds a PhD in International Economic Relations from the University of Economics in Prague and a master degree in Law from the Palacky University in Olomouc, CZ. She completed a post-graduate master programme in European studies in Krems an der Donau, AT.
The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers. Please provide short CV of the moderator of your session at the Wiki or link to another source.
Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.
Reporters will be assigned by the EuroDIG secretariat in cooperation with the Geneva Internet Platform. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:
- are summarised on a slide and presented to the audience at the end of each session
- relate to the particular session and to European Internet governance policy
- are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
- are in (rough) consensus with the audience
Current discussion, conference calls, schedules and minutes
See the discussion tab on the upper left side of this page. Please use this page to publish:
- dates for virtual meetings or coordination calls
- short summary of calls or email exchange
Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.
- Go to the messages from Focus Area 3
- Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/event/eurodig-2022/cross-border-e-identification.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-482-9835, www.captionfirst.com
This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.
>> Hello, everyone. Welcome. My name is Sophia. And I’m the host of the FabLab in Trieste. You can see the room on your screen. Unfortunately, we have no participants right now. But I’m sure it is likely that someone will come in in a few minutes. I would like to go over the session rules. Have on the display your full name. You can raise your hand to ask a question. Without further ado I would like to give the floor to Regina.
>> MODERATOR: Thank you very much. And a big thanks to EuroDIG to enabling this session and organizing the whole conference. I can imagine that there are quite a lot of challenges with this hybrid format. It is – it will never be as it used to be before. And now I can see the room in the full screen. Yeah. I saw it was a bit more full in the morning. So let’s hope people will come later on.
This session aims at theoretical and practical challenges of cross-border data flow, a very up-to-date topic with the current situation being in Europe, which is looking for a greater trust and transparency between the various stakeholders involved. And also the criteria under which Governments should have access to personal data, which are held by the private sector.
It was already discussed in the previous session for topic 3 group of EURid system that aims to provide a higher degree of privacy protection, but there are still some design elements that can be challenged. And we will touch on it.
Last but not least the famous study that suggest duties for different players and registries. We have two representatives of the ccTLD registry, have certain duties even for the infrastructure under the management of the ccTLD registries is just used to navigate the Internet.
So let’s dive in to these topics with our great panelists today. We have here Marjorie Buchser, who leads the Digital Society initiative in the UK. Prior to this, she focused on the fields which included digital inclusion or digital innovation at the organization Purpose and at the World Economic Forum as well. Welcome.
>> MARJORIE BUCHSER: Thank you. Do you hear me well?
>> MODERATOR: We hear you well. So I will go quickly through the various speakers so we make sure we have got connection and when we start with the introductory statements. As the next speaker we welcome Georgia Osborn, senior researcher analyst at Oxford Information Labs. She has also experience within Counter-Terrorism and law enforcement investigations and policy analysis. Hi Georgia.
>> GEORGIA OSBORN: Hi. Hi everyone.
>> MODERATOR: Let me introduce Jaromir from CZ.NIC. He is responsible for one of the pioneer authentication solutions, authentication service at CZ.NIC and also involved in the management of the Centre Technical Working Group and the project reg I.D. which was done under the centre umbrella, a cooperation of registration and data sharing. Hi Jaromir.
>> JAROMIR TALIR: Hi.
>> MODERATOR: The fourth speaker is Hans Seeuws. He took over this role this year but prior to it, he was among other things, the eiDAS project with the EU which introduced the various data verification methods. If I said that CZ.NIC is the pioneer in the solution, then eIDAS offers different things.
>> HANS SEEUWS: Hi.
>> MODERATOR: Thank you for being here today. Marjorie, the floor is yours for your introductory statement.
>> MARJORIE BUCHSER: Thank you. I want – so what I would like to do today is give you an overview of a new project that has – has launched at the beginning of this year on cross-border data transfer in the context of law enforcement in national security. And I have to start by managing your expectation because we are still very much in the process of researching this topic. We just finalized a consultation. I have more questions than answers for you today. But hopefully quite useful in terms of sort of outlining the obstacles that and information that we have received come from the community.
So the research at the moment is – we finished a consultation phase. And we had 30 interviews with experts from academia, Civil Society, European institution, national security, law enforcement agency, and private sector actors.
And what I would like to do is relay to you some of the sort of tension and specific pain points that were highlighted to us during this consultation.
So as the first element I should highlight is that cross-border data requests have become a critical and sort of essential aspect of criminal investigations in Europe today. And so the European Commission highlighted that more than half of all investigations includes a cross-border data request. So essentially what’s happening is that law enforcement authority in Europe needs to request data from outside Europe to private companies. And mainly what they said are the main source of data is essentially Google, Facebook and Microsoft.
And the reason why e-evidence or electronic evidence has become so important as opposed to things, the first one is the widespread use of digital technology by the public. They use e-mail and technical communication and a globalized Internet architecture. That means that most of the data related to a crime is actually often stored outside the country. It has been collected and outside, you know, the territory where the crime happened.
And so that leads to a very complex situation today and why do we see so many tensions around this question of data used in criminal investigations that is stored abroad. I think the first main obstacle and issue that we see in this space is that the legal frameworks that today govern cross-border data transfer are still very deeply rooted in the analog concept of NationStates and territorial boundaries. So broadly speaking, not in the context of law enforcement, the legal framework is the one where the data is stored. This country has no relevance for the specific investigation apart from the fact that those private companies have their headquarters in these countries. In that case it is often the U.S.
And so therefore, what you have is legislation, legislation of the requesting countries, et cetera, et cetera. So what you have is really unwieldily conflict prone legal regime that insufficiently address the different aspects of cross-border data. We see an effort to create more direct access to. But here again you have many questions and issues regarding, you know, what type of legal regime is sufficient enough to provide protection in terms of privacy, et cetera, et cetera. So that’s the main issue is this question of territorial and outdated legal framework.
The second is and we really specifically look at the topic from a law enforcement and national security angle, because this is also at the core of the problem here. And what we see and what was sort of relayed to us is the traditional dichotomy that you have between law enforcement and national security imperatives are very blurred. However in the current legal framework intelligent services essentially face much less regulation and oversight. And most of the legal framework that applies today is actually they are exempt to it. They are an exemption to it.
And the reason why it creates a problem is that the question is whether those new direct access or those new agreement between country regarding cross-border data should also include national security operations.
And they are defense opinion there. But essentially I think that the key element here is that in a globalized Internet you really have value tension between the need for global and regional cooperation. And the sovereign provocative associated with national security activities. Push for greater harmonization in the European level, you also have the counter push from EU – from practitioners that indicate that surveillance should not be – should not be part of the scope of international or regional agreement.
So I would say that these are really the main obstacles and the many issues that we see that have made those conversations so complex. And for the moment we don’t necessarily see the Resolution and to bring stakeholders together to highlight the different perspectives.
So I’m going to pause there because that was quite – that was quite broad already. So I’ll hand over to you, Regina.
>> MODERATOR: Thank you very much, Marjorie. They are very interesting points. And they go back probably to the whole problem with the Internet being designed for a good use. And it became at the time a part of a normal life which unfortunately includes many, let’s say, shadow or black activities. May I ask Georgia to come in with her points?
>> GEORGIA OSBORN: Thank you. Marjorie has sort of laid out some of the main kind of complexities with cross-border data sharing. And the project she mentions I have been sort of supporting, but I’m going to be talking a little bit about the practical challenges that come with some of those complexities.
Because often these complexities have meant that these organizations or agencies have come with their own practical solutions. So I’m going to speak a little bit for the kind of practical aspects of law enforcement, private companies and also a little bit about private kind of – privacy concerns and groups that are involved in privacy. What we have seen is a lot of law enforcement agencies try to streamline this process because it is so complex. So a lot of law enforcement agencies have single point of contact when it comes to requesting data because it is such an important part of any investigation now as Marjorie mentioned, it is one of the main things that a law enforcement agency has in terms of tools for investigations.
So when it comes to streamlining these requests, you have a single point of contact to spot. And they often are the person that is meant to know how to request data from these different tech companies of which there are many. Often abroad. Often in America. And it is often one person for many tech companies. So it is that process itself is complex. And you can imagine the difficulties that comes with the different ways and processes that tech companies have in terms of requesting data.
So the second thing is that private companies and sort of online digital platforms have also attempted to streamline this process.
So while law enforcement agencies have their own methods of requesting data and often they may have different spots for different areas, often in Europe, they have some countries in Europe have many spots and some have one spot for everything. So the – that system itself is not streamlined to one method.
And then tech companies themselves have had to work in this complex environment that Marjorie has outlined where the legislation may not be sort of – maybe not be fit for purpose according to some of our – during our consultancy period which is what we have found. So a lot of the organizations have had to come up with methods of streamlining the processes themselves.
So a lot of say, for example, Facebook has a portal system where often law enforcement agencies can request specific data from this portal system. They might have even teams where they can facilitate law enforcement investigations. And kind of engage with them and liaise with them on that level. But what we find with that method a lot of smaller online digital platforms are not necessarily equipped or resourced in that way.
And might be left behind in terms of what to do if a law enforcement agency from perhaps a country that is not the Western Democracy comes to them and says can we please have this data. So that is a challenge for these tech companies themselves.
And then the third thing is when it comes to sort of privacy concerns, there is a difficulty in terms of getting stakeholders to the table. Often we don’t have privacy groups or law enforcement agencies at the same table discussing these issues. And we see this kind of tension play out when it comes to the EDPS decision on kind of – on restricting the data that they had access to. You see the text play out on law enforcement want more data or they think they have a need for something. And then the privacy concerns often in disagreement with them.
So the main point here would be that all stakeholders should have early inclusion and not just engagement at any level of when it comes to this e-identification. I want to bring it back to e-identities. Whilst organizations might have come up with their own practice solutions, often these things can be ironed out beforehand or in much easier process.
And with that I will give it to you, Regina.
>> MODERATOR: Thank you very much, Georgia, for this very practical observations. I will just check if we have – for this topic if we have a question from the floor. We don’t have. Before we will move more to the let’s say more concrete problematic from the ccTLD registry’s viewpoint, I would like to ask you both based on research and observations. So what would you say, like what would be the proper take on a Government level or you also already mentioned some multi-stakeholder structure. Who should be the driver. And also have you noticed during your research some concerns from the private sector about costs associated or about who in the end, what the end users, what would be the impact for any end users of all these data collection cross-border and sharing? So –
>> GEORGIA OSBORN: I’m happy to go ahead, Marjorie. So I guess in terms of the end user, I mean what’s been so interesting in the consultation period and specifically as well for me, coming from a kind of law enforcement background, is hearing the privacy concerns. And hearing those and understanding them and the importance of them. But it is also hearing some of the law enforcement concerns, you know, ultimately are you going to be caring that your data was given if you are the victim of a crime that needs to be solved.
So there’s a real difficulty there. In terms of how you resolve that it is a really difficult one. So it’s really not easy. I mean it is very difficult as well to outline everything in such a short period of time because this is an incredibly complex issue. And, you know, it goes across many different layers around the problems with legislation as Marjorie mentioned. And areas of national security and law enforcement and then areas in terms of privacy and what that means for the individual. In terms of e-identities and to bring it back to the main topic, one of the things that has come across in the consultation period has been how do you authenticate a law enforcement agency who is requesting data to a small tech company. And how does that happen. When it comes to e-identities, I think that’s a big question. In terms of how that affects the user is something that would need to be given a lot of thought in how tech companies themselves perhaps, that comes with further engagement. Perhaps Marjorie wants to add on to my points.
>> MODERATOR: Yes. So please.
>> MARJORIE BUCHSER: If you want to go first and then I will follow suit.
>> EMILY TAYLOR: I’m really happy to follow suit. I was raising a general question in response to both of your questions.
>> MARJORIE BUCHSER: On that question, what was really interesting in the consultation that we have just concluded is that there is potentially a new form of coalition around this issue. And I think Civil Society experts but also academia highlighted that for once big tech has actually an interesting role to protect the user privacy and sort of interestingly they highlighted that they sought sort of big tech company interest more in line than in other issues with regard to privacy protection.
And what was relayed to us was really that I think there is a sense for private actors that the current situation is really untenable for them, they are caught between the strong privacy funder users and sort of helping lawful, legitimate, criminal investigation.
>> MODERATOR: Thank you very much for this comment. So Emily, please go ahead with your question.
>> EMILY TAYLOR: Thank you very much for giving me the floor and also to EURid for organizing a timely debate by bringing together the sort of practical solutions as well as the policy discussions.
I had a question really about, you know, the – what you talked about, the differences between the privacy and law enforcement, even at the institutional level. And how you might – how that could be overcome. Is it a question of just more inclusion and convening and making sure that these agencies and stakeholders are talking to one another and understanding each other’s issues? So just sort of how to overcome that sort of gap that seems to occur whether at the practitioner level as Georgia was talking about or even at the institutional level.
And talking – I was really interested in what you were saying about the smaller platforms. And whether there might be a role for some kind of a clearinghouse to enable a sort of assessment to be made on behalf of those smaller platforms with lower resources. And then pass it on, you know, whether that could be done in a timely way, I’m not sure. But sort of sifting through and particularly identifying whether or not these are law enforcement agencies that could be cooperated with under the Budapest Convention or whatever. I would be really interested in the panel’s thoughts on those issues. Thank you.
>> MODERATOR: Thank you, Emily. Anyone wants to react?
>> MARJORIE BUCHSER: So I think on the SMEs and that was definitely I think from your highlighted the consultation, interestingly and maybe that’s – it was news to me, but the European – Europe more specifically has launched a project called Project Serious that is basically what you described to present the right information and help the interaction between law enforcement authorities and private actors in sort of navigating to a different system when it comes to cross-border data requests.
I think I would say it is absolutely an incredible initiative and effort from Europol. It is exclusive in nature. Apart from an annual report that they release, this is the only information and type of interaction they had was non-Governmental or so private sector actors. So that’s what I have to say about sort of SMEs and trying to support the interaction there.
Your point about national security, and again we don’t have the answers yet. But I think a few elements that we should point out. The first one is that they are good practices when it comes to oversight and transparency related to National Security Agency operations. I think what was clear now our consultation is that fiberized partners have started reforms on that front for a while. And they are quite good to share those best practices and lessons learned. In Europe the situation is slightly different when I think that there is potentially tension between different European entities. And again that’s not my opinion. That came through the consultations. So I want to be very clear that these are experts. Not my personal ones.
But that they are tension within the European Union in terms of integration and harmonization that’s for some practitioners seen as overstepping its mandate and sort of really sort of starting to be sort of trying to govern the space of national security essentially.
But that being said, I think there is a sense from practitioners at the European level that new processes, mechanisms for oversight and transparency could be achieved. However, I think it is clear that the negotiation and discussion would need to happen on their terms. And with a recognition of national security imperatives in that checks and balances apply. But there should be exceptions.
>> MODERATOR: Okay. Thank you very much, Marjorie. Thanks a lot. And I’m glad that you concluded with these comments with relayed practical aspects for SMEs, also the regulation, the question of overstepping the mandate, yes or not, which would nicely bring us to the second part of the panel with very practical solutions, implemented by ccTLD registries.
The earlier session within this same Focus Group brought some interesting overview by Paulina from Centre who I see among the participants in our session now. She highlighted these two directives that the ccTLD registries, registrars are obliged to keep accurate data. And she mentioned bullets that open new possibilities for verification of identities.
So we saw some practical implementations. And I would like to ask our two panelists from the ccTLD world to say their statements. So Jaromir, if I can ask you for your part.
>> JAROMIR TALIR: Yes. I hope I will not repeat everything what Paulina said in the previous session because I couldn’t participate. It is true that the registrant verification, it is a hot topic for many TLDs recently and actually it is not – it is related to the upcoming NIS2 directive in a way there is a potential that there will be direct impact of regulation for us as for ccTLDs or TLDs in general regarding to registrant verification. But I think that most registries recognize this topic for many years, recognize there is a clear link between the having anonymous or nonverified registrants in the registry. And the link with those cybercrime activities or DNS abuse.
So that was the topic for registries for quite a long time. And there is a significant cross-border relation with regards to this topic because the registration of the name is not in most countries bounded to the nationals. But also for the foreigners have the access to the main registrations.
This is different scope. Maybe not the same scope for us where we have around like 100,000 domains registered for foreigners. On the other hand, I can imagine that for EURid it is a much bigger problem, this cross-border issue.
And with regard to ways how to verify the registrants nationally or internationally, there is a lot of the methods can be used and I believe that Hans will go through all the methods that EURid is using in a shorter while. So I will mostly focus on the digital identities as one of these. Because Regina already mentioned that DNS abuse study published at the beginning of this year I guess, it was January, February, something like that which clearly suggests that digital identity is a good opportunity for registries and registrars to be used by – for this register verification issue.
And I must say if we had recognized there is a link between the registration of domains and digital identity maybe 12 years ago when we launched that identity service. Regina mentioned in the beginning where we thought to start to identify identities and play a role for the citizens because there was a time there was no digital identity in the Czech Republic. But with regards to this cross-border focus, definitely the study mentioned that eIDAS as the regulation is a great tool that could or should be used for this topic. And in the centre, we already four years ago in 2018 a couple of ccTLDs agreed to try to take advantage of eIDAS for this process of registrant verification. And also Netherlands – it was Denmark and Estonia at the time. We applied for the funding because the European Commission had applied for many years, since eIDAS was in effect in 2018.
So we applied. We had not succeeded. We tried it again in 2019 and we succeeded. So we created a project called REGID where these registries and together with the .nl. We have a lot of experience how hard it is to take advantage of eIDAS. We may talk about it later.
There are problems related to getting the access to eIDAS notes, which is mostly limited to the public services and not the private sector. We are experiencing that mostly the natural identities are only in the eIDAS, not the organizational identities. There is a lack of identification data going through the eIDAS Networks. So it is hard to match the identities in the service provider side and the – and with those identifications. So this is not easy. We probably also hope that the eIDAS revision may change this. Some suggested a paragraph to the regulation shows that there should be a bigger opening towards the private sector in this revised regulation. So we are trying to follow the – this work on the revised eIDAS.
The Commission actually is working in parallel on the legal definition of the new regulation and the technical solution. At the moment recently they also initiated a call for funding, for submission for funding for piloting the different solutions. So we are also trying together with the SIDN from the Netherlands to bring this topic of the registrant verification or the whole registration lifecycle to one of those pilots to be able to take advantage of this pilot to help with this topic as well.
So this is just overview topics that we can talk about in the next minutes. But maybe Hans will also say something about this as well.
>> MODERATOR: Thank you very much, Jaromir. Thanks a lot for highlighting the cooperation that also pilot activities, yeah. Because this implementation is in the end what will matter in the practical life. So what we are not lost just in regulations. So I suggest that we go over to Hans and then we can have a discussion on this topic.
>> HANS SEEUWS: Thank you. I’m currently the only one with some slides. So just assuming that everyone knows what the registry, so we keep track of who owns which domain name. .eu for the European Union as a whole. They all have their own pilot. Switch. So we started verifying identities, what is the underlying niche of that. There are three reasons. One of them is the eligibility criteria. You need to be a citizen or a resident or your legal entity needs to be within the European Economic Area. If you are outside of that, no link to Europe, you cannot register. We have a contractual requirement. We report to the European Commission and we need to verify the validity of a domain name application. These two directives. It says that the TLD registries will need policies and registries in place to ensure that the databases include accurate and complete information. What is in our database, we don’t store that much data. We store the name, company name, if applicable, address, phone number, the e-mail address and then the technical information being the name service. That’s it.
So it sounds probably easy to do that you would say. So you look at the numbers. Both of you have 3.7 million domain names. There are 1.7 million unique phone numbers. 1.2 million unique registrants with a legal entity. 800,000 private individuals. And last year, we didn’t have any automated verification methods, we did over 6,000 manual verifications with a team of three people.
So that’s quite a daunting challenge which led us to start what we call the customer project internally. And simply meant unburdening our team with doing all these manual verifications. They are not FBI forensic analysts. They are people from the legal team. And we thought it would be better for them and more efficient solutions. So we started experimenting. We are looking for the different verification methods. EIDAS was always on that list. But at that point in time we didn’t have a connection to the eIDAS note yet which is a conversation point by itself. To get through the bureaucracy of getting access we implemented a fairly simple system. We sent a message to the mobile phone. In the text message, the user clicks on that web link. And there is an application that opens on a mobile phone that asks them to scan the front and back side of this identity document. And the only data it extracts is what’s on the machine readable. So you see the characters that’s in a European passport and on most European identity documents, not all.
And then we supplemented that with verification by a bank payment, as we said a small amount to European bank accounts of their choosing. We include small codes and they go on our platform. They enter that code. And we establish a link between the registrant and the bank account. We experimented with Belgium identity cards. This quarter we will allow eIDAS that will give us access to all the different eIDAS schemes across the European Union.
And also verification via credit card as we reserve that small amount on a Visa card. And we let them sign that using the 3-D secure methods which is pretty popular amongst European banks. So these are the current methods we have. We will be rolling out soon. Now it is important to say that there is no silver bullet at the moment to perform really good and trustworthy identity verification. So each of these methods by itself has advantages but also disadvantages. So the nice thing about the eIDAS it is a direct source. There is no intermediary. You do verification. So you know that there is a link between the data that you gather, the actual holder of these data. But as I will go in a second slide it doesn’t even cover the full European Economic Area. It does contain the name. But depending on the country, it will or will not include the address. As I said earlier address is one of the things that will require us to verify. So if we don’t get even an address from eIDAS, how would we verify all these European registrants.
So I won’t go in to detail on each of these methods, but as you will see there is no single one that has all the Ts crossed and Is dotted. So at this point in time you will still need a mix. For us it is unclear how we are able to verify the identity of all these European registrants.
So here you see a map of the current eIDAS schemes within Europe. So the map looks pretty blue. But larger countries like Poland, for instance, and specifically Ireland and Finland, they don’t have an electronic identity scheme that has been accredited yet.
And even the ones that are in blue, even there we see issues because as I said we can’t explain, depending on the type of identity scheme that you want to get accredited you get a level of assurance linked to that. If you are below substantial or high, we in EURid are connecting to the Belgium eIDAS note. And only the European identity schemes that are accredited as high are accepted.
So the smaller ones, like in the Nordics, for instance, they work with bank I.D. which was linked to the banks. Some of these identity schemes are labeled substantial. So they might very well work in the Nordics, but we don’t get the data. Another downside is also that the address is rarely included which is really the important part.
And another downside is some of these identity schemes including the one in Belgium, they require you to read a chip and not an NFC, but a chip of an identity card. And that requires end users to have a card reader plus the middleware. And it is quite cumbersome. What we see as challenges for verifying data of registrants is, first of all, there is a difference between verification and validation. These terms are used interchangeably but are actually not. So I send a text message to a mobile phone number, that person replies. And I know the mobile phone number exists and I have validated it. But I don’t know whether it was the actual identity, actual person who was having the position of that phone number. So I have not verified a person. I have validated a phone number. And there is a level of trustworthiness that we need to adhere to, I think.
For registries like .eu we should see what is the verification cost versus the fees that we collect. They pay us on average two Euros per domain name. When I can collect the feedback from the different verification providers, they came up with a whole part figure between 10 and 20 dollars per verification. So how would we be able to only charge two Euros. But on the other hand be confronted with an average cost of 10 to 20 dollars if you want you to properly do it. Jaromir pointed out there is a big challenge in verifying companies. Because if you are a German company, companies are legal entities, not private individuals. They are not living beings. Still you need someone to act on behalf of that company.
Now it might be very easy for a small and medium enterprise startup that has two or three people. But if Coca Cola wants to register one of their brands in .eu, I’m pretty sure the director and officers of Coca Cola would not send in the front and back side of the identity card simply for the sake of registering that .eu domain name. Even if it is company information, the German VAT numbers are shielded. If you have a German VAT number within the European fees database you can look up whether that VAT number exists, but it will not return any data on the company.
So it is kind of a black hole, even for a company. Another question mark once you have verified the data, do they ever expire. Identity documents expire. The bank accounts usually or they don’t have a fixed expiration date. That’s something to take in to account. Depending on the verification method that they use how long will these data remain valid. Specifically around domain names, proxy servers are a common thing. If you want to shield your identity you pay a couple of Euros extra.
And that’s all – we as a registry also see these proxies. So should we prohibit these proxy services? Should we ask the proxy service to verify themselves? Big question mark. As I pointed out earlier verifying addresses to me is a main challenge. If we look at big tech, you would imagine that Google has found a great solution on how to verify addresses. If you look at the address of a company nearby or in a shop, in this case my favorite lunchroom nearby my house it mentions the address. How does Google verify the address of a company in 2022? They send you a postcard. On that postcard is a code and you enter the code on a portal. They haven’t found a better solution to verify an address.
Two other challenges, currently and I see a couple of registrars present, there is no ecosystem or standard across registries and registrars for identity verification. A lot of TLDs are doing their own thing as is .eu. They have their own process. If you have to deal with the customer, and he wants multiple domain names in multiple TLDs, I can’t imagine going through it over and over again. Even once you do if there is verified data and the bad guys know that this data exists, then it is not that hard to copy/paste this data and start using them to register or not only domain names but register domain names with data that you copied from somewhere else. That’s also a challenge we need to tackle.
So unfortunately the list of challenges is larger than I would say the list of targets that we achieved so far. But I think this session is a good first start to get more insights on how to take this one step further.
>> MODERATOR: Thank you very much, Hans. Even for it had more questions than replies, it was a nice overview of the practical solutions. And we have one question for you right away from the audience. Werner asks if EURid is considering voluntary verification services where the registry will publish information as to where the domain holder has been verified.
>> HANS SEEUWS: As to where it has been verified?
>> MODERATOR: Whether the domain name holder has been verified?
>> HANS SEEUWS: We currently don’t publish this. Registrant can request it. And if he passes the verification he will receive a statement of holdership from us. It is very popular in the Netherlands where domain names are sometimes put in escrow during a financial transaction. So I need to prove that you actually are a holder of a domain name. So we offer voluntary verification but we don’t publish the results currently.
>> MODERATOR: Thank you. And actually it leads me to one question which I wanted to ask Jaromir. In your experience with the cooperation with other registries, have you considered something like this? Like to have – because, of course, it’s clear that there are very much or many issues and costs considerations. So maybe we should not aim at having all the databases verified. But some system of let’s say verified domain names and when some categorization of the methods as Hans mentioned some lead to validation, and some to verification. And law enforcement or whoever will need it, will have at least something but it would be doable. Like some kind of, I don’t know, DNS subsection for data verification. Have you ever discussed it with the other registries?
>> JAROMIR TALIR: Yes. First maybe to respond to Werner’s question. For the CZ we have the flack who is the – if the contact goes through the verification, we put it like the green mark and who is that. So that everyone can see that this contact is – has been at some level, at some level verified. And to respond to your question, differently there are those attempts to unify these approaches as a group of ccTLDs that was initially organized by the Belgium registry, have created an informal group where we try to discuss how these different methods can be unified. And to give also to the registrants the single view on the registries, whether we should exchange the information, verification. Definitely also in the scope of the discussion.
A couple weeks ago there was the big centre event in Prague where almost all ccTLDs came and also one of the topics that they discussed how to make it possible to exchange the information if somebody has already verified some contact, how to transfer this information to the other registries. So there is no immediate response to these questions. But these questions are being discussed as well.
>> MODERATOR: Okay. Which seems to correspond to the concerns Georgia and Marjorie has raised before about the coalitions, possible coalitions. And some tools to enable even smaller companies to be involved in the exchange of data.
>> HANS SEEUWS: Yeah, I think the issue that Marjorie mentioned in the beginning –
>> MODERATOR: Can you speak closer to the mic, please?
>> HANS SEEUWS: My apologies. This kind of links to the issue that Marjorie raised earlier, I think where she said that even if the crime is committed in one country, that sometimes the data is scattered across other countries. And yet you still need this point of reference, where will you retrieve the authoritative data. And from the domain side we come from the exact same thing. Domain name could be registered in country A using a registrar from country B. Using identity details from country C and in the end what ends up in our database is all that we can give to law enforcement if they so request it.
>> JAROMIR TALIR: One remark also, to the topic that Georgia specifically mentioned that was – what I mentioned the centre event, one of the topics that we specifically discussed was also the how to law enforcement can get the access to the registry data when there is some crime that needs to – they need to investigate. And we touched a little bit on that and found out that it really is not easy to work this cross-border. Definitely there are some established ways how the national law enforcement agencies can access the data, nonpublic data from the registry. For example, who are the domains. But it easily doesn’t work cross-border. Even it may be work for the Europol but it probably won’t work for the country when Slovakia police will ask directly the Czech police. There is no established procedures how to do that cross-border.
>> MODERATOR: Thank you very much. So before I ask you a last question or ask for last reactions, I just wanted to quickly highlight the way which we went today from Marjorie making us aware of the ongoing study. A very interesting one. I can imagine that once Marjorie, you have some outcomes, some text to be shared the participants would be more than interested. So please share the link, if you have something with us as well.
She highlighted the questions of territorial reality. Then, of course, the connection of law enforcement and national security with some hope for coalitions of big tech, which should bring in to the game some, let’s say, technical move forward. Then we heard – excuse me, too many notes. I took really a lot of notes. Very interesting points raised. From Georgia, about the privacy concerns. And also on the example of Facebook, some systems which are being forumed for law enforcement. Also that there are concerns that small companies comply with all this. Then Jaromir, when we went over to practical implementation in the ccTLD they highlighted the cooperation and the necessity to run pilots, to show what is practical. And Hans with his overview of different methods, which EURid implemented for end users, but also with the statement that there is no method which would fit all. So probably this way towards cooperation and variety of choices for the end users would be the next step. And also sharing experience costs and so on.
So my – since we are moving towards the end of our time, I would like to ask all of the panelists if you can tell us in 30 seconds, one minute what would be – if you can choose one step, what step would you take in the context of your organization and of your field to enable or to move forward the cross-border e-identification in Europe? So maybe if we can go the same maybe order, Marjorie, would you like to start?
>> MARJORIE BUCHSER: Yes. Thank you. I think it’s an impossible question to answer but I will try. I think we covered that to some extent. And it is potentially not specific to this question of cross-border data but across the field of internet. What we saw is different factions that don’t talk with each other and the culture and process and operation are still very different than what are the sort of principal underpinning global international architecture. We see again and again the need to provide new platforms for cooperation. And create mutual understanding. And that’s what I wish for us to do as next steps basically.
>> MODERATOR: Thank you very much. Georgia.
>> GEORGIA OSBORN: Yeah. Thank you. I would just add to Marjorie’s point about multi-stakeholder involvement and not just engagement at the earliest stage. So every side can kind of discuss the issues that they will practically have to solve but also talking to smaller tech companies and facilitating an easier process for them who will have to face, you know, a lot of modern criminal problems. And they might perhaps not have the resources. So early engagement and liaison with the smaller companies.
>> MODERATOR: Thank you very much. Jaromir, can I ask you for your concluding next steps?
>> JAROMIR TALIR: We have been always big promoters of digital identity. And I think that we should continue with that because the digital identity really needs some advocacy and explanation to the normal users that it is something that they should not be afraid immediately, that should explain the advantages and definitely like the – that they should be careful with that and not afraid of that. This is one part of our work that we should focus on.
Second part, it is still work in progress. That we should continue to improve it. To make it useable, to make it better. And there is really a lot of work ahead of us yet before it starts to be at least European wide useful.
>> MODERATOR: Thank you very much. Hans, can I ask you for your concluding –
>> HANS SEEUWS: I agree with Jaromir as a closing remark. I heard being from a TLD, again I heard different viewpoints from other industries. And again this enriches the whole discussion. And I mentioned a couple of issues that I risk having tunnel vision. So I think before taking next steps, I think a first good step could be to make this inventory a potential issue and how they intertwine, and make this as broad as possible and then say okay, what kind of solution tackles many of these issues at once. Otherwise we just have a tunnel vision and I’m a victim of that sort of thing.
>> MODERATOR: Okay. Thank you very much for your concluding note as well Hans. And we’ve reached the end of our session. I don’t see also anybody at the mic in the room. If our EuroDIG organizers will conclude our session and after some break, we will have a further programme ongoing.
>> Definitely. Let’s end the session now. There will be a 45-minute break in this room. And then we will resume again at 4:30 with the next session on the Delay Tolerant Networks - Building Interplanetary Internet. So I hope to see you all back.
>> MODERATOR: Thank you. Thank you very much to our panelists for your contributions today. Let’s continue following up on this topic. It will be with us for sure for many more years. Thank you very much. Have a nice evening. Bye.