OpenID recommends steps for governments to protect the privacy of digital IDs
Technology is giving governments tools to protect the privacy of people using the digital credentials they issue, but a series of steps should be taken to make sure they are used and render them consistently effective, says a new white paper published by OpenID, titled ‘Government-Issued Digital Credentials and the Privacy Landscape.’
Contributors to the paper include the Better Identity Coalition, ID4Africa, the Kantara Initiative, the Open Identity Exchange, the Secure Identity Alliance, and the Trust Over IP Foundation, and it was edited by Heather Flanagan. Individual contributors acknowledged includes some of the most prominent names in digital identity worldwide, such as ID4Africa Executive Director Dr. Joseph Atick, Okta’s Vittorio Bertocci, Debora Comparin of Thales, Stephanie de Labriolle of the SIA, Drummond Reed of Gen Digital, and John Wunderlich of the Kantara Privacy Enhancing Mobile Credential Work Group.
The white paper is intended to consider the digital identities and credentials issued by governments in liberal democracies, where there are typically privacy laws and citizens have expectations of privacy.
The current landscape of government-issued digital IDs is reviewed, and the gaps and risks in it considered. A number of national and international regulations and standards have emerged to protect digital identities, though the report notes that some observers say they do not go far enough.
A variety of digital identity systems and applications were considered, from EU’s eIDAS regulation to Nigeria, where progress is being made on data privacy legislation, but it is not yet enacted. The privacy implications of technologies like digital wallets and protocols like SAML2 are discussed, and a privacy-enhancing architecture for mobile credentials presented developed by the Kantara working group.
Governments should improve the security and privacy posture of digital credential issuance, storage, verification and use, the paper recommends. This must include basic cybersecurity management, but also extend beyond it.
“There must also be a recognition of ongoing concerns around surveillance, the challenges of diversity, equity, and inclusion, the grey areas of legality, and the sustainability of legal protections in the face of changing administrations,” the paper argues.
The paper explains standards for biometrics and identity assurance, as well as the OSIA (Open Standard Identity APIs) initiative.
Risks that must be considered depend somewhat on the motivations of the government issuing the credentials, which vary, particularly between countries with developed and developing economies, according to the report. Risks are also inherent to many digital identity technologies, as a service that can use sensitive personal data for authentication or authorization could potentially store, correlate or distribute it.
Biometrics can introduce risks to privacy if data leaves the individuals’ device and is not stored properly, and while concepts like biohashing and revocable biometrics could help, there is little sign they are being widely adopted by governments.
The paper also touches on risks of data correlation and re-use and gaps in existing standards and laws.
Ultimately, the report authors have five recommendations for governments to build data privacy into digital credentials and identity ecosystems. They should give individuals control over disclosures of their own data, require data minimization by all parties, build accountability for relying parties into laws and regulations, minimize fraud and consider extensibility beyond the public sector.
“Through protocol design, hardware and software advances, and cryptographic algorithm evolution, technology provides the tools to enable a more privacy-enhancing environment,” the paper concludes. “Considering those tools in a purely neutral scenario, ignoring the threats of how they may be misused or abused in ways that impact privacy, invites new privacy risks that may have been avoided. It’s up to technologists to incorporate privacy awareness into the core of their designs.”
The white paper is available for free by OpenID.