FB pixel

OpenID recommends steps for governments to protect the privacy of digital IDs

White paper draws on industry groups and leans into user control
OpenID recommends steps for governments to protect the privacy of digital IDs

Technology is giving governments tools to protect the privacy of people using the digital credentials they issue, but a series of steps should be taken to make sure they are used and render them consistently effective, says a new white paper published by OpenID, titled ‘Government-Issued Digital Credentials and the Privacy Landscape.’

Contributors to the paper include the Better Identity Coalition, ID4Africa, the Kantara Initiative, the Open Identity Exchange, the Secure Identity Alliance, and the Trust Over IP Foundation, and it was edited by Heather Flanagan. Individual contributors acknowledged includes some of the most prominent names in digital identity worldwide, such as ID4Africa Executive Director Dr. Joseph Atick, Okta’s Vittorio Bertocci, Debora Comparin of Thales, Stephanie de Labriolle of the SIA, Drummond Reed of Gen Digital, and John Wunderlich of the Kantara Privacy Enhancing Mobile Credential Work Group.

The white paper is intended to consider the digital identities and credentials issued by governments in liberal democracies, where there are typically privacy laws and citizens have expectations of privacy.

The current landscape of government-issued digital IDs is reviewed, and the gaps and risks in it considered. A number of national and international regulations and standards have emerged to protect digital identities, though the report notes that some observers say they do not go far enough.

A variety of digital identity systems and applications were considered, from EU’s eIDAS regulation to Nigeria, where progress is being made on data privacy legislation, but it is not yet enacted. The privacy implications of technologies like digital wallets and protocols like SAML2 are discussed, and a privacy-enhancing architecture for mobile credentials presented developed by the Kantara working group.

Governments should improve the security and privacy posture of digital credential issuance, storage, verification and use, the paper recommends. This must include basic cybersecurity management, but also extend beyond it.

“There must also be a recognition of ongoing concerns around surveillance, the challenges of diversity, equity, and inclusion, the grey areas of legality, and the sustainability of legal protections in the face of changing administrations,” the paper argues.

The paper explains standards for biometrics and identity assurance, as well as the OSIA (Open Standard Identity APIs) initiative.

Risks that must be considered depend somewhat on the motivations of the government issuing the credentials, which vary, particularly between countries with developed and developing economies, according to the report.  Risks are also inherent to many digital identity technologies, as a service that can use sensitive personal data for authentication or authorization could potentially store, correlate or distribute it.

Biometrics can introduce risks to privacy if data leaves the individuals’ device and is not stored properly, and while concepts like biohashing and revocable biometrics could help, there is little sign they are being widely adopted by governments.

The paper also touches on risks of data correlation and re-use and gaps in existing standards and laws.

Ultimately, the report authors have five recommendations for governments to build data privacy into digital credentials and identity ecosystems. They should give individuals control over disclosures of their own data, require data minimization by all parties, build accountability for relying parties into laws and regulations, minimize fraud and consider extensibility beyond the public sector.

“Through protocol design, hardware and software advances, and cryptographic algorithm evolution, technology provides the tools to enable a more privacy-enhancing environment,” the paper concludes. “Considering those tools in a purely neutral scenario, ignoring the threats of how they may be misused or abused in ways that impact privacy, invites new privacy risks that may have been avoided. It’s up to technologists to incorporate privacy awareness into the core of their designs.”

The white paper is available for free by OpenID.

Article Topics

 |   |   |   |   | 

Latest Biometrics News


Biometrics entering everyday activities via rising technologies

Biometrics underpin the new technologies that people will soon use on a daily basis for everything from payments to age…


Anticipation for Metalenz and Samsung’s answer to Face ID mounts

After Samsung and Metalenz collaborated to incorporate Samsung’s Isocell Vision 931 image sensor into Metalenz’s Polar ID imaging technology, Mashable…


Germany beefs up border security ahead of UEFA Championship

Germany has been ramping up security measures such as border checks and CCTV surveillance in preparation UEFA European Football Championship…


Inverid and Cybernetica team up to secure digital ID, signatures with biometric MFA

A new partnership has been formed by Inverid and Cybernetica to combine the NFC ID document-scanning capabilities of the former…


Vision-Box unveils new Service Design platform for travel experience enhancement

Vision-Box, an Amadeus company known for its biometrics-based travel offerings, has introduced its latest service innovation: Service Design, which aims…


Moldova’s first digital ID app sees 24K downloads in five days

Moldova’s first digital identity wallet was downloaded over 24,000 times within the first five days, causing temporary glitches due to…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events