FB pixel

OpenID recommends steps for governments to protect the privacy of digital IDs

White paper draws on industry groups and leans into user control
OpenID recommends steps for governments to protect the privacy of digital IDs
 

Technology is giving governments tools to protect the privacy of people using the digital credentials they issue, but a series of steps should be taken to make sure they are used and render them consistently effective, says a new white paper published by OpenID, titled ‘Government-Issued Digital Credentials and the Privacy Landscape.’

Contributors to the paper include the Better Identity Coalition, ID4Africa, the Kantara Initiative, the Open Identity Exchange, the Secure Identity Alliance, and the Trust Over IP Foundation, and it was edited by Heather Flanagan. Individual contributors acknowledged includes some of the most prominent names in digital identity worldwide, such as ID4Africa Executive Director Dr. Joseph Atick, Okta’s Vittorio Bertocci, Debora Comparin of Thales, Stephanie de Labriolle of the SIA, Drummond Reed of Gen Digital, and John Wunderlich of the Kantara Privacy Enhancing Mobile Credential Work Group.

The white paper is intended to consider the digital identities and credentials issued by governments in liberal democracies, where there are typically privacy laws and citizens have expectations of privacy.

The current landscape of government-issued digital IDs is reviewed, and the gaps and risks in it considered. A number of national and international regulations and standards have emerged to protect digital identities, though the report notes that some observers say they do not go far enough.

A variety of digital identity systems and applications were considered, from EU’s eIDAS regulation to Nigeria, where progress is being made on data privacy legislation, but it is not yet enacted. The privacy implications of technologies like digital wallets and protocols like SAML2 are discussed, and a privacy-enhancing architecture for mobile credentials presented developed by the Kantara working group.

Governments should improve the security and privacy posture of digital credential issuance, storage, verification and use, the paper recommends. This must include basic cybersecurity management, but also extend beyond it.

“There must also be a recognition of ongoing concerns around surveillance, the challenges of diversity, equity, and inclusion, the grey areas of legality, and the sustainability of legal protections in the face of changing administrations,” the paper argues.

The paper explains standards for biometrics and identity assurance, as well as the OSIA (Open Standard Identity APIs) initiative.

Risks that must be considered depend somewhat on the motivations of the government issuing the credentials, which vary, particularly between countries with developed and developing economies, according to the report.  Risks are also inherent to many digital identity technologies, as a service that can use sensitive personal data for authentication or authorization could potentially store, correlate or distribute it.

Biometrics can introduce risks to privacy if data leaves the individuals’ device and is not stored properly, and while concepts like biohashing and revocable biometrics could help, there is little sign they are being widely adopted by governments.

The paper also touches on risks of data correlation and re-use and gaps in existing standards and laws.

Ultimately, the report authors have five recommendations for governments to build data privacy into digital credentials and identity ecosystems. They should give individuals control over disclosures of their own data, require data minimization by all parties, build accountability for relying parties into laws and regulations, minimize fraud and consider extensibility beyond the public sector.

“Through protocol design, hardware and software advances, and cryptographic algorithm evolution, technology provides the tools to enable a more privacy-enhancing environment,” the paper concludes. “Considering those tools in a purely neutral scenario, ignoring the threats of how they may be misused or abused in ways that impact privacy, invites new privacy risks that may have been avoided. It’s up to technologists to incorporate privacy awareness into the core of their designs.”

The white paper is available for free by OpenID.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

New South Wales Digital Strategy is building a roadmap to inclusion and safety

Chris Minns’ Labour government has launched its new digital roadmap for New South Wales, Australia’s most populous state and home…

 

Worldcoin waves in more applications for expanded grant program

Worldcoin has shifted their grant program to fund innovation in its World ID project, decentralized identity and growth initiatives, says…

 

MDL interoperability put to the test amid standardization, adoption push

Australia’s National Digital Trust Service (DTS) for digital driver’s licenses has passed an interoperability road test based on international standards….

 

Governments need digital ID verification strategies to beat rampant fraud

“The concept of digital IDs is relatively straightforward”: so says a piece in Nextgov/FCW, covering fresh legislative efforts to win…

 

Infrastructure challenges impacting NIN card production says UrbanID exec

Acute infrastructural challenges stand in Nigeria’s way as the country carries on with the issuance of mobile digital ID as…

 

Philippines agency to print national ID cards itself

The Philippine Statistics Authority (PSA) is switching up where it is printing PhilSys ID cards following the termination of the…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events