Upcoming digital identity initiatives impacting your life – FA 03 Sub 03 2022
22 June 2022 | 12:30 - 13:15 CEST | SISSA Main Auditorium | |
Consolidated programme 2022 overview / Day 2
Proposals: #21
Get involved!
You are invited to become a member of the session Org Team! By joining a Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the mailing list to join the Org Team and answer the email that will be send to you requesting your confirmation of subscription.
Let us introduce you to your digital identity.
Session description
After laying out the impact that existing and upcoming digital identities have on us all; the session will look at different initiatives and approaches to determine what benefits and dangers they entail to the digital technologies consumer. The organizers and the presenters goal is to enable the audience to make informed choices when it comes to their digital identity.
Format
- Welcome, Moderator, 2 Minutes
- Setting the scene: You and Your digital identity, Klaus Stoll, 5 minutes
- Panel session: Legislation framing the introduction of digital identities,
- Round 1: 20 minutes, Moderator will ask panelists to introduce their digital identity legislations they are involved with in 3-4 minutes without slides.
- Round 2: 5 minutes, Panelists reactions to each other
- Round 3: 6 minutes, Moderators questions to the Panelists
- Round 4: 9 minutes, Open questions from the floor.
- Closing: 2 minutes, Moderator
Further reading
Interested in the current state of the proposed amendment of the eIDAS regulation for a European Digital Identity? Here is the draft from the EU commission: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity COM/2021/281 final
And here is the latest amendment proposed by the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament: Amendments 17-274 for Amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity Proposal for a regulation (COM(2021)0281 – C9-0200/2021 – 2021/0136(COD))
Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Main page of EuroDIG
People
Please provide name and institution for all people you list here.
Focal Point
- Klaus Stoll
Klaus has over 30 years’ practical experience in Internet governance and implementing ICTs for development and capacity building globally. He is a regular organizer and speaker at events, advisor to private, governmental and civil society organizations, lecturer, blogger and author of publications centering empowered digital citizenship, digital dignity and integrity. Klaus is the CEO of the Internet Integrity Task Force, IITF, supporting the global dialogue on a digital Bill of Rights and Responsibilities and the implementation of a Trust Mark for digital integrity, DISCERN.
Focal Points take over the responsibility and lead of the session organisation. They work in close cooperation with the respective Subject Matter Expert (SME) and the EuroDIG Secretariat and are kindly requested to follow EuroDIG’s session principles
Organising Team (Org Team) List Org Team members here as they sign up.
The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.
- Vittorio Bertola
- Klaus Stoll
Key Participants
- EU: Polina Malaja, CENTR
Polina Malaja is the Policy Director at the Council of European National Top-Level Domain Registries (CENTR), leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem. She holds an LL.M in International Human Rights Law and Intellectual Property Rights Law and is deeply interested in interactions between technology and fundamental rights and freedoms in the digital age. Before joining CENTR, Polina was responsible for the free and open source software advocacy work at the Free Software Foundation Europe, together with leading the FSFE legal team and coordinating the biggest network of legal experts in Free Software: the Legal Network. - Switzerland: Gerhard Andrey, Member of the Swiss Parliament
National Councillor GREENS & Entrepreneur; Gerhard Andrey (46) is a trained carpenter, wood engineer and postgraduate computer scientist. erhard Andrey is co-founder of the digital agency Liip, with over 200 employees in six locations in Switzerland. Among other things, he is a member of the board of directors at the Alternative Bank Switzerland. Since 2019, he has been a member of the National Council of the Green Party of Fribourg and is politically committed in particular to more sovereignty in the digital space and a sustainable finance sector.
https://gerhard-andrey.ch/bio - Italy: Stefano Quintarelli
Computer scientist, serial entrepreneur and former professor of information systems, network services and security. Founder of I.NET, the first Italian ISP business and first Italian internet unicorn. He has been Member of Parliament in the XVII legislature and member of the High Level Expert Group on Artificial Intelligence of the European Commission, Chairman of the Steering Committee of the Digital Italy Agency, Chairman of the Advisory Group on Advanced Technologies for Trade and Transport for UN-CEFACT. He is a member of the Steering Committee of the Sustainable Development Solutions Network (UNSDSN) and of the Board of Directors of the Copernicani NPO.
He was founder of the Parliamentary Intergroup for Technological Innovation, author of the reform of the Digital Administration Code and creator of the Public Digital Identity System (SPID).He sits in the Scientific Committee of Bollati and Boringhieri for which he published "Intangible Capitalism" (Canova Prize for economic divulgation) and "Artificial Intelligence".
https://en.wikipedia.org/wiki/Stefano_Quintarelli - US: Mike Palage, InfoNetwork
Michael Palage is an intellectual property attorney and an information technology consultant that has been actively involved in Internet Governance and ICT issues over the last twenty years. Michael is currently the Chief Trust Officer of InfoNetworks LLC, an information technology company focused on solutions for building online trusting incorporating emerging areas of digital identity, decentralized identifiers, and verifiable credentials.
Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.
Moderator
- Lori Schulman
Lori S. Schulman is Senior Director for Internet Policy for the International Trademark Association (INTA) where she is responsible for managing the association’s various Internet policy and advocacy initiatives and serving as liaison to INTA’s very active Internet and Data Protection Committees. She is INTA’s representative to the Internet Corporation for Assigned Names and Numbers (ICANN). Lori has a varied background in general corporate and intellectual property legal practice and has managed the trademark portfolios of Fortune 100 companies and major nonprofit organizations. She started her career as an Attorney/Advisor for the U.S. Trademark Office. Prior to joining INTA as a staff member, she served as General Counsel for a leading, U.S. based, educational membership organization and publisher. Ms. Schulman is a former INTA board member and former advisor to the Public Interest Registry (PIR), the operator of the .org top level domain. Lori holds a B.A. in International Relations from Tufts University and a J.D. from George Mason University School of Law where she was a member of the George Mason Inn of Court. You can find her on LinkedIn and follow her @LoriKnowsNet.
Remote Moderator
Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.
Reporter
Reporters will be assigned by the EuroDIG secretariat in cooperation with the Geneva Internet Platform. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:
- are summarised on a slide and presented to the audience at the end of each session
- relate to the particular session and to European Internet governance policy
- are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
- are in (rough) consensus with the audience
Current discussion, conference calls, schedules and minutes
See the discussion tab on the upper left side of this page. Please use this page to publish:
- dates for virtual meetings or coordination calls
- short summary of calls or email exchange
Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.
Messages
- Go to the messages from Focus Area 3
- Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/event/eurodig-2022/upcoming-digital-identity-initiatives-impacting-your-live.
Video record
https://youtu.be/qFEpZUpEML8?t=9178
Transcript
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-482-9835, www.captionfirst.com
This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.
>> NADIA TJAHJA: Thank you very much. After this very brief break we’re going to go next into focus area 3, subtopic 3, Upcoming digital identity initiatives impacting your live. I would like to give the word to the moderator, Lori Schulman. Please, go ahead.
>> LORI SCHULMAN: Hello. Thank you very much. We’re pleased to be here. We want to thank EuroDIG organizer, sponsors, and ICEPT for allowing this great conference to go on. It is great to see everybody online, and I’m sorry I couldn’t be there in person. It has been my intention to be there with you.
We have a great panel. I think it is a wonderful follow-up to the discussions we have been having about sovereignty, what does sovereignty mean and taking sovereignty down from national level to, in fact, a personal level. That’s what it means to have a digital identity, what’s it mean to be known and seen online.
To discuss upcoming developments in this area we have the founder and Executive Director of the Internet Integrity Taskforce, Klaus Stoll, the mission is to extend fundamental Human Rights into cyberspace. We have Mike Palage, known to many of you, he’s the chief Trust Officer for Info Network, an online trust solution provider, including digital identity, decentralized identifiers and vary viable credentials as services. We have a member of the Swiss parliament committed to making more sovereignty in the digital space, Gerhard Andrey, and a sustainable financial sector and interestingly a wood engineer as well as a computer scientist.
We have Stefano Quintarelli, a computer scientist entrepreneur, a former professor of information and a founder of INET, the first Italian ISP.
Finally, we’ll wrap it up with Polina Malaja, Policy Director for CENTR, the Council of European National Top Level Domain Registry, an attorney trained in Human Rights and intellectual property rights and the face of CENTR on policy matters globally.
I’m going to go right over to Klaus Stoll in the interest of time to tee up the subject for us, and we’ll start with the panel presentations, panel reactions and we’ll take questions from the audience.
>> KLAUS STOLL: Thank you very much.
In the interest of time, as we have such wonderful subject speakers, I just was very, very much impressed how much the connection between multistakeholderism we have discussed in the topic before and digital identities. What was talked about, the need for multistakeholders to share and digital identities, it only makes sense when shared, and these are basically the most current key questions coming to digital technologies and Internet Governance.
Even if we define digital identities as nothing more than applications or algorithms, behind every digital identity, like behind every digital stakeholder, there stands a real person. Real people with rights and responsibilities. The fundamental rights of people are defined by the universal rights – the Universal Declaration of Human Rights. Consequently, digital identity needs to be measured first not by the usefulness and functionality, but how they consider and reflect the fundamental Human Rights and responsibilities that are common to us. There may be many digital identities, but the main difference is how they’re respecting Human Rights, also persons that they’re attributed to.
As in many cases, we use Human Rights not as a content, but just as a phrase to say we’re the goodies. In this case, there are so many connections, and I think we really should put the measuring stick of Universal Fundamental Human Rights to digital identities and with that, I hand over to the next speaker.
>> LORI SCHULMAN: Thank you.
>> MIKE PALAGE: I would also like to begin by thanking EuroDIG for inviting me to participate in this panel today, and for including multiple sessions on this important topic.
Digital identity, it is a topic that I’m very passionate about and, it is a topic that I dedicated in the past five, seven years to my professional life. I would like to begin by closely aligning with the opening comments of Klaus Stoll about digital identity being a fundamental Human Rights. It should be recognized under the Universal Declaration of Human Rights. I believe that target 16.9 of the UN Sustainability Development Goals that aspires to provide legal identity for all, including birth registration, supports this fundamental Human Rights proposition. Although the text of the UN’s sustainability goal does not specifically reference digital identity, I believe that the events of the past several years highlighted the importance of identity documentation being digital first or digital by design. National disaster, geopolitical conflict have shown the ease with which physical documents can be easily lost or destroyed.
One of my earliest exposures to the potential transformative impact of digital identity was some of the work I have done with Universal Postal Union and top level domains. Specifically, they were looking at how digital identities for both manufacturers and consumers would help local artisans open up a global market for the goods and services, and how this in turn could drive self-sufficiency and financial inclusion.
A quick note given the current venue of EuroDIG, over the last several years, the UPU’s dot post group, responsible for the governance of the top level domain, they have actually been chaired by a representative.
The late Kim Cameron, the former Chief Identity Architecture at Microsoft and the author of the laws of identity once stated that the internet was built without an identity layer. While the internet has kind of had a transformational impact on societies in both at the commercial, as well as a social interactive perspective, the lack of an identity layer I believe has negatively impacted the ability of the internet to still reach its full potential.
Where as much hope and aspiration that I have for the future of the digital identity, I have equal part of fear and apprehension. I believe a critical aspect to ensuring that digital identity reaches its full potential is empowering individuals with meaningful control over how their PI and attributes associated with their digital identity are collected and processes.
For the remainder of my opening remark, I would like to quickly look at the good, the bad, the ugly regarding digital identity. Let’s start off that there is a lot of good to report.
I believe the most important, relevant to most would be how a global workforce as a result of the COVID pandemic was able to seamlessly transition to a remote environment. As a result of this transformation, identity is now often referenced as the new perimeter in network cybersecurity. In India, over a billion people have been biometrically onboarded to their system which is used by Indian citizens for a range of services. Italy’s new identity scheme has surpassed 30 million account holder, 10 million activated within the last month. The European Union in connection with their latest initiative announced that shortly every European citizen will have an eWallet.
Right now, there is a lot of tremendous work being done in the standards area regarding mobile digital driver’s license.
Turning to the bad, for those individuals who lack identity credentials, either digitally or physically, these individuals have quickly found themselves marginalized, or in some cases completely disenfranchised. The transition to digital identity has also reenforced growing disparity between technology haves and technology have nots where access to a smartphone is almost a prerequisite.
Finally, the ugly: Let’s be clear, discussing the ugly is not intended to be a basis not to implement the digital identity but to stress the importance on doing it right and how to learn from the mistakes of others that have gone before you. Referencing Aadhaar, there have been cybersecurity incidents reported over the years. Most recently involving a website that was disclosing the Aadhaar IDs of a number of farmers. In Australia, there were some recent cybersecurity flaws found in the digital driver’s license issued by New South Whales and most concerning, the lives of tens of thousands of Dutch taxpayers were significantly inconvenienced when an AI algorithm wrongly flagged them for potential childcare benefits fraud. Hopefully these initial remarks will provide a framework for other panelists.
Back to you.
>> LORI SCHULMAN: Thank you, Mike. That sets us up very well for an interesting discussion.
Next on deck is Gerhard Andrey from Switzerland.
Please, you have the floor.
>> GERHARD ANDREY: Thank you so much, EuroDIG, for having me here with you today with you. I’m of course at home as others among you, I’m in my hometown in Switzerland.
Where is Switzerland at on this topic, the ID, as you may know, Switzerland is particular, we have an interesting thing called Direct Democracy. What does that mean you may ask, in this context here. About a year ago, you have a referendum on an eID bill and it was probably I guess the first and only vote of a population on a digital topic I guess, worldwide I guess. The thing is, this bill, it produced by the government, it was passed by the parliament, heavily rejected by the population, 65%, which is quite high for this kind of bill because usually if government is pushing something and the whole parliament is for it, usually it passes. Here’s the contrary. What was it about? It was a mix of digital identity, single sign infrastructure, so it was some sort of mix-up of different things.
There was a delegation, a mission of this official identity to the private sector. The idea was that you go to the bank, an insurance company and you get the official ID, the state-approved ID. The bill was fit, shaped for an existing solution ran by a consortium of big Swiss companies. That was part of the let’s do this thing, we have it already there in our shelf, let’s produce a bill that’s compatible with it.
That wasn’t what the population wanted to see and they rejected it as I said, heavily. Why did the Swiss population reject this kind of a project, this kind of a bill? It was seen as a sovereign task that was done by the state, not private sector. That’s a main reason that the population refused it. It was not understood by the population why should I have that. It was also part of the problem of the pro campaign that basically said do you have your passwords, here is a great idea, we’ll solve that, people didn’t get that. They didn’t believe that, that wasn’t the real issue. It was also part of some sort of failure of the campaign to convince people that they actually need this bill.
There was another big topic on data collection, protection, it was a key weakness of the not so state-of-the-art solution that was so-called sold through the bill.
The rejection was heavy, nonetheless, all camps – my own especially as well – wanted an eID, where we need this fundamental component in a digital trust infrastructure. That’s out of question. We need a good one.
What happened then? Only three days after the vote I orchestrate a new motion for a new bill and with all parties. I basically was able to convince them that we have to do it right and they all, themselves, they wanted the eID, it was quite special. Only three days after the vote we produced a new motion saying basically what we defended during the campaign, so it demands a privacy by design solution, a decentralized data storage, minimal data gathering, and it has to be orchestrated by the state even though it can mandate private companies to build and run components as long as it keeps full control and stays the entity doing that emission as well.
If everything looks fine, this bill will pass within next year. I hope that will be the case. I don’t think there’s going to be a next referendum. It is now in a way a – I know others that could challenge the bill, but I don’t think that’s going to happen because now there’s an interesting way of doing things now.
How does it look like technically? In parallel to this work on the bill, the government is already working on pilot projects compatible with this new bill. It is going to be an architecture of this self-sovereignty identity, it will be decentralized, it will be data protected by design and it is going to be ran on opensource software. That’s another thing that’s particularly interesting and important to me.
The state’s personnel, they’ll use this new solution quite soon. It is about 40,000 employees of the federal government that will use that ID as first users, and there will be other identities like the driver’s license that will be also done with the same technologies to have a wallet that they were ready with the eID and I hope that’s the case next year or 2024. That’s about it.
How it is in Switzerland? The long story short, we lost time, we are slow, we gained a lot of knowledge. I think we have quite interesting a legal basis and a technical – a technological architecture fit for future.
That will be my opening statement.
Thank you so much.
>> LORI SCHULMAN: Thank you.
I think that’s particularly interesting about doing it right part, that it is one thing to have a concept, another thing to execute. I think that’s the debate we’re having about a lot of issues in Internet Governance, having that practical example is certainly noteworthy.
We had Stefano Quintarelli scheduled, I don’t see that he’s signed in yet. Polina Malaja, I hope you’re ready to go. You can talk about the experiences of the CENTR, the CENTR members with the area of digital identities and eIDs and understanding that your customers are as registries in the domain name space.
>> POLINA MALAJA: Thank you very much. I hope everyone can hear me well.
First of all, I would like to start by thanking EuroDIG and thanking the organizers for inviting me today and also for allowing me to be a part of this distinguished panel today.
I will be providing a different perspective on the use case on the internet of eID and we’ll talk about the basic infrastructure domain names.
I would like to outline a few words on the existing legal framework governing eIDs in the European Union, and as maybe many of you know, this framework is currently being revised on the legislative level.
So the current legislative framework on eIDs that’s currently valid and revised on the E.U. level, the regulation, it has been in place since 2014. One of its aims was to ensure that all Member States have a functioning cross-border electronic identification scheme available for their citizens to primarily access and use public online services. It was specifically targeted at the eGovernment services.
By 2022, this year, we knew that out of 27 European Union Member States, only 16 have at least one national electronic identification means available for the citizens to access the eGovernment services. Considering that existing regulation did not achieve the goal to provide each European citizen with a valid electronic ID, a proposal for the regulation on European Digital Identity was issued last year, June of 2021.
The E.U. ID proposal I will call it requires each Member State to issue a European digital identity wallet under the national identification scheme. It also should be primarily conforming to cybersecurity and privacy standards, but specifically also allowed to be certified under the voluntary cybersecurity certification schemes.
Just to bring it back into the perspective of why we gather today, a biggest challenge to the existing legal framework introduced by the E.U. proposal, it is that this new electronic identification wallet app will be open for private companies, so-called relying parties, to check that entity of any other attributes about their customers, specifically end users.
This, of course, opens up many new possibilities for the wallet app to be used in private sector and also by private sector. It also comes with a set of challenges and, of course, primarily for end user as essentially this is their data that may be used in a way that’s not been intended by them when they agreed for the collection.
From the centre perspective, the extended use case for the E.U.ID wallets outside of eGovernment, public services includes identification and verification of identities of the domain name holders and as has already been discussed in previous EuroDIG editions and we mentioned a little bit about that yesterday. According to the upcoming directive, the revised cybersecurity legislation in the E.U., the registries, the registrars, they’ll be obliged to maintain accurate, completes databases including rare occasion of identities and contact details of the name holders., from our side, from the CENTR perspective, if they conform to the privacy and cybersecurity requirements as intended by the proposal while also being mindful of applying relevant safeguards for users to not be subject to the processing more than necessary, the eID wallet will serve as a solution for facilitating access it a basic different infrastructure such as domain names in the E.U. and in a secure way. The challenge that I see from registry perspective, using eID wallets for compliance with the data accuracy compliance under this too, when the wallet attributes not necessarily matching the obligator datasets which is required from registries and reg stars to keep accurate and complete.
For example, it may be easy to identify the domain name holder and their identity with the wallet, but at the same time, it is not possible to verify the contact details. As a result, there is a risk that may create a rigid domain name holder regime that may not necessarily match the parallel efforts of establishing the E.U. ID across the E.U. For an end user, this may be – it may be a requirement to share more personal data than is necessary in order to establish one’s presence online, and perhaps also there’s a risk that this will work with the purpose limitations and all of the important principles that are codified in the GDPR.
I would like to just perhaps conclude with a little assessment, that there is a peculiar situation on the online world, on one hand, the users are constantly surrounded by data hungry environments, aiming to collect and process more data in order to establish sometimes very elaborate behavior profile of the individuals. In this case, regulator, of course, is inclined to limit this harmful practice and rightfully so by establishing strong data protection principles that are applying for both commercial and non-commercial entities. On the other hand, we also may see a risk of establishing a rigid requirement to collect certain datasets that are not strictly needed to keep the internet infrastructure up and running and it is unclear how these requirements are compatible with the data minimization principle. In the absence to protect the end user and protect their data and the privacy online, so I would like to end with that.
I look forward to further discussion.
Back to you.
>> LORI SCHULMAN: Thank you.
As you can imagine, this is an area where I do a lot of work for members of the international trade association, I’m Lori Schulman, senior Director for internet policy for the international trademark association. Polina Malaja, Mike Palage and I, we work together on these thorny issues of figuring out what is the appropriate line in terms of having access to registrar information and the real level of data required. These are important points. I will come back to you with some questions that came to mind as you were talking.
I will let you know that our fourth speaker Stefano Quintarelli had a family issue arise, we’re not sure if he’s signing on today. I’ll keep an eye out for Stefano Quintarelli. I will circle around and in terms of that adjustment, there was a question asked in the queue and I’ll ask the question, Mike had volunteered to answer it, when we do that, we can go into a group discussion.
Given how close the question is to what the presentations were, perhaps we address it now and Mike Nelson had a question, how do you explain the failure of Microsoft Passport with the access of Facebook and Twitter’s ID service which thousands of online services use.
Mike, you want to take a stab at that? Go ahead.
>> MIKE PALAGE: Yeah. Thank you. Perhaps we tie it into a larger technical discussion, perhaps kill two birds with one stone here.
One of the things I think is intimidating for people getting involved in the identity space, all of the different technology solutions that are out there. One claiming to be better than the other.
One of the things I have learned through a lot of the work with UN agencies such as the UPU, ITU, others, it is the need for any solution to be technology agnostic. By ensuring that, you generally will provide a greater likelihood for global interoperability and greater user adoption.
For those that are new to the identity space, there are generally three technology stacks that most identity solutions are powered by. Sometimes as will be quickly apparent, many in the identity space zealously advocate that their technology stack is superior to the others.
The first camp is the old school certificates. This is a technology stack that’s well engrained in government solutions and financial services sector. The simple fact is, this is not going to go away any time soon.
Now, to Mike Nelson’s point, the second camp, which probably has had the largest impact on individual users, it is OAuth2 and open ID connect. Most people have been exposed to this through the incredible work that the open ID foundation has done.
The reason of the greater adoption, it was a positive user experience. I think that’s perhaps the simplest answer.
The third technology stack that I think is important to mention, it is verifiable credentials, this is an emerging technology stack that’s often associated with web 3 blockchain or digital literacy technology solutions. Most of this work right now is taking place within the WC3, but these are the kind of three technology stacks and it comes down to user experience, if you create a positive user experience people will use it and I think that’s why the European Union is basically coming up with this. This was well intentioned and did not get the adoption and if you look at where they are going with the itit2o, the European wallet, empowering the individuals to control that, I think that’s the solution.
Hopefully that killed two birds with one stone there.
>> LORI SCHULMAN: Thank you.
Anyone else have any reactions to either what Mike has just responded or any other statements made by the colleagues? If not, I certainly can start a round robin of questions. I wanted to see if anyone had initial reactions on the panel to what had been presented.
I see our host has a hand up.
>> NADIA TJAHJA: Here in the room we have two people sitting at the mic and I would ask if they could both state their question and then we can go back to you.
>> LORI SCHULMAN: Okay. Yeah. Again, since we’re kind of shuffling the order, there is no problem with asking, intervening questions, and then we’ll get back to the panel impressions.
Please, go ahead.
>> I’m Chairman of ID For Me project. First, I agree with Mike, the problem, one of the main problems, there are too many solutions, not that there are not enough of them.
In the end, this is one of the main reasons why digital identities are not in wide use actually. But in the end, if you look at the market, the reality is that not just in Europe, there are two solutions taking ground, the public one, it is related services which depending on the country, they don’t have a big adoption like in Italy, but still they’re gaining adoption and they’re generally used for public services.
On the other hand, we have the private sector solutions and in the end, the only ones using at that level, it is the private sector one, by the big global internet platform, basically just about Google, Facebook, partly Apple and all of the others as someone had pointed out, had not had significant success. These are used for every day websites and activities I use much more frequently than the public one.
The question, it is how do we consolidate these two aspects? Both are not very open, not very interoperable, not very free, not global and unfragmented as the internet we would like to build.
The governmental one, it can be the model, depending on the model, in Italy, you can choose your providers, but there is only 12 providers approved. In the private sector, you tonight have a choice. If the website only offers you Facebook or Google, you can only use those taken you have to accept whatever privacy and data protection practices they have adopted which is not favorable to the user.
Can we bring back control to the hands of the users without going through blockchain solution which is will never take off and how do we do that? Should we start from the public solution or should we start from the private sector solution?
>> MIKE PALAGE: If I could perhaps take that.
>> LORI SCHULMAN: Yeah. Yeah. We have one more question.
I thought we would take them in series and then it may be more logical. Thank you.
>> Thank you. I’m a member of the YOUthDIG. The youth, but please take this question not as coming from the youth but the concerned citizen. I do have some experience with research and software identity, before this self-serving identity is self-serving it has to be issued by one, I’m born, I get the certificate from the state, I can’t claim I’m born, so please take me as I am. I’m thinking do we not have this philosophical clash of visions on how do we empower citizens to execute their own power and rights and control their identity online or in the physical world while relying on the primary step of the institutions to grant them this, you know, merit. Of course, you know, if we don’t have this on one hand, there is an hierarchy, people claim whoever they want, on the other hand, there is a bias. What if the government has something against my family, I will not get the birth certificate. If you could maybe address this sort of digital self-determination and digital sovereignty. Thank you very much.
>> LORI SCHULMAN: Thank you.
I know we have another person standing in the audience. We’ll ask you to hold for a few minutes while we get the two questions addressed. We $not want to lose the train of thought.
Mike, I’ll ask you to take the first question, and then I thought perhaps you would like it answer the second, Gerhard Andrey.
>> MIKE PALAGE: I think the answer is it is both. It will have to be a public private partnership to solve this. Peter noted in the chat, there were four that recently had ran a cross-border test on where the underlying credentials were exchanged through a network. So again, getting back to the solution which hopefully Gerhard Andrey will talk about. You need that trust anchor. In most situations that trust anchor, that identity document, it is most likely going to be a government-issued identifier, that is just the reality. That’s why I didn’t talk about self-sovereign, I talk about empowering users to control that. That is really just the reality.
Hopefully, Gerhard Andrey, you could expand upon that a little further.
>> GERHARD ANDREY: Yeah. I can try.
Thank you so much for this second question about what that is. Self-sovereign, what’s that mean? Can I from day one, as a baby, can I be self-sovereign? There are limits to that.
I think that may be different from country to country. I really have the big luxury that no one can refuse an identity to a person that is born and has the right to be here in Switzerland. No government official can have anything against my family and try to not grant me this identity document.
I can’t really tell how other countries, they have to solve this problem, it is a basic Constitution, fundamental right to be a part of a society that constitutes a country where there is an issue with that. That’s not what we actually address here in Switzerland with the legislation that we’re working on right now. We somehow have the luxury that it isn’t an issue.
How to get to this self-sovereign identity, I use this term, it is what the Swiss administration is trying to put in place, it will be in some sort of a self-sovereign identity architecture and what I have seen up until now, it is that, even though there is a lot of open questions. The basic thing is, I’m the one controlling whom I’m giving what data for what purpose and there is no other entity that actually can track what I’m doing with this data. That’s basically the fundamental principles we try to put in place. There is this other thing. When you have – in Switzerland, usually I myself as well, from time to time, I go to the passport office, that’s a place where I get the identity cards from my kids or my passport, whatever, and there is a touch point. This office has everything in order to give me access to the digital representation of the same thing, it is basic. We don’t try to solve here everything at once, we only want to deliver basic authorized and validated data so that they can use them in order to become a client in a bank or in order to show anonymously age, if I want to buy alcohol, I can show my age without giving my birthdate, my name, whatever, because it doesn’t matter. It will be quite simple and simplistic and I think that’s going to be one success factor, we shouldn’t try to solve every problem at once because then again we’re going to have a hard time making it usable, making it acceptable, making it trustworthy. We had a good example with our COVID certificate app. It was a good, well accepted application done by the government, built with opensource components and it was really, really widely accepted because there was proof that it is possible to have something that is simple, that is light weight, that there is no data collection whatsoever even though there was a realtime check on the data.
It was an architecture that actually wasn’t gathering data. Long story short, I think you need some sort of initial authority that grants you access to some sort of identity data. Everything else is something else I would say.
>> LORI SCHULMAN: Thank you.
I was going to say, in the interest of time, we want to get Stefano Quintarelli in, I know we had one question in the audience. Can that question be deferred to the workshop? I know there is a workshop after this? Can I ask that questioner to please answer your question, then we’ll go to Stefano Quintarelli, time is ticking down.
I will ask – we’ll have the question asked, I’ll ask whoever volunteers to respond to keep it under a minute and we’ll give the last words to Stefano Quintarelli.
How about that. Then we should end on time. Go ahead, please ask your question in the audience.
>> Thank you. I’m with Internet Society and it is actually more of a comment. Hopefully it won’t eat up too much time and the panelist cans give final comments. With the Internet Society we have been looking at specific parts of the updated EI, particularly about the implementation and the niche issue we’re looking at, Article 45, which is about the requirement that browser, group programmes must accept all qualified website authentication certificates which is a E.U. term. You know, what they do, they certify perceived legal identity where transport certificates, they verify the website, our view is requiring the browsers programmes would exempt them from cybersecurity standards and could give Europeans a false sense of cybersecurity. I wanted to share that, you know, there may be some issues on the implementation side that we should be looking at and aware of and just share this view.
Thank you.
>> LORI SCHULMAN: Thank you. Thank you. I think that’s to be noted in terms of standards and acceptance and what can certainly be talked about in the workshop.
We’re going to closeout with Stefano Quintarelli who has a particular interest in the oversight of the IDs and the transparency in terms of how they operate. We’re scheduled to end in 2 minutes. Do we have any time to go over given we started a little bit late? No. Okay.
Stefano Quintarelli, wrap it up the best we can and we appreciate you signing on in difficult circumstances.
>> STEFANO QUINTARELLI: Thank you. I apologize for being late, my daughter got COVID and she had her final exams for high school. It has been a complete mess.
I started proposing the Italian digital system in 2012 and we started working to it in 2013, before others. We have presently – of course, we merged in to other, and we have 30 million actively using digital identity I must say in Italy. Something that we were very concerned since the beginning, it was the possibility of some entity to control what users do or don’t do online.
You know, once you digitalize an activity, suddenly you have a scale, a speed that far exceeds human possibilities, and if you have a single entity managing the identification system, the identity system, then those who manage that system have an immense power over the lives of citizens. One of our design issues was how to maximize privacy and the respect of citizen rights, and so we decided that they should – it should not be ran, managed by a ministry because our experience tells when you have something managed inside of a ministry, a government office, then suddenly it is way more opaque and it is very difficult to have a proper accountability. I can tell you examples of several parliamentary inquiries into the operations of the ministry that do not get answered and, of course, we all know that Freedom of Information request to the government often fails. This is an area of particular concern for us who designed the system in Italy, and we have decided to provide the identity service that should have been ran by either public, possibly by private entities, why this? Because once you establish the vision between the provision of the service and the government and the executive branch, then you have a border where you can have checks, and checks are conducted by the National Privacy Authority and the Data Protection Authority by the Italian Digital Agency. By the way, I was Chair of the Steering Committee of the Italian privacy agency, digital, for ten years. So those agencies, then, of course, the normal judicial area system. It was a way to – we have a number of entities.
We have a number of entities, either private or public, that are those who provide the digital identity to the users and to provide the service. That way, we can have a border where we can inspect and have transparency and sanctions, et cetera. Now, this is becoming – somebody has mentioned recently and I will conclude – the digital certificate. My daughter was one of the first positive girls in Italy, and she was one of the first getting a COVID vaccination. The time when she got the infection and the vaccine, unfortunately, the system was not properly in place. There was a misalignment in the databases. When suddenly it came, the need of presenting a digital certificate in order to enter a bar or a restaurant, she was not able to obtain her digital certificate even if she had the rights because of a problem of an issue of the digital system, the digital system, it took ages to fix that. The escalation to the ministry, et cetera, I don’t know for other persons that would have been in my same position without having the network that I luckily had. So I was able to fix it, to have her digital pass, her digital certificate issued.
The point I want to raise – two really – the first one, it is that digital is becoming a power that gives and takes away rights to citizens. This is a power that can be used at lightning speed, speed of light on a vast number of people without leaving any traces. That power, it is growing significantly in importance and it will grow in the upcoming decades and it needs to have a special transparency and oversight and this transparency and oversight is very difficult to obtain if you bureaucratic management of the systems inside of a body of the executive branch.
The argument I’m trying to raise, it is we need digital identity, of course, it is a key, the control of digital identity should be scattered in several hands and over seen by different bodies, not only – not buried inside of the industry, in order to have many possible authorities looking at it. We should try to think of a way to ensure that the digital power, which can be used at the speed of light, the subject and precision on vast amounts of people, we should have a government mechanism in order to ensure that this power is not used for that.
I know I have been long for a few minutes. I apologize. It is difficult to say that in that short amount of time.
>> LORI SCHULMAN: Thank you. Your insight was valuable to the discussion, particularly in terms of decentralizing the control of some of the data which is the first I think we have heard about that. With that, I encourage people, there is a workshop on identity I believe coming up next, if you’re interested in the topic, please join us in the workshop.
Clearly we need a lot more thinking about this. I want to thank everybody, thank EuroDIG again for giving us 5 extra minutes under the very challenging circumstances. It was great to have this conversation.
Thank you.
>> NADIA TJAHJA: Of course, we want to thank the moderator, Lori Schulman for her kind moderation of this session.