Hacia una identidad digital universal y soberana para el sector público que preserva la privacidad

 

The digitalisation of public administration services is nowadays an essential part of the Digital Single Market strategy to improve the access to goods and services across Europe for both citizens and businesses. In many cases, access to specific public services requires secure and trustful identification and management of the so called ‘digital identities’.

Traditionally, digital identity management systems have been based on centralised technologies and models that have become obsolete. On the one hand, username and password-based systems have led to usability issues and countless security and privacy incidents with some of the biggest data breaches in history. The application of this model over the decentralised services provided on the Internet means users must create separate, hard-to-remember identifiers for each online service they wish to consume. In addition, the digital identity is fragmented and stored across different service providers, and thus controlled by multiple third parties. This implies in most cases assuming levels of risk that should not be accepted either by users or even by the service providers themselves.

On the other hand, to alleviate some of the pain points of centralized identities, a federated identity-based model, where identity management is fully delegated to a third party, called Identity Provider (IdP), solves some of the problems addressed above. By using an identity provider in the middle it is possible to have one unique identity account with the IdP for signing in and sharing identity data with any site, service, or app that uses that IdP.  However, this approach presents serious privacy and security risks, such as that the Identity Provider will have the ability to survey the user’s login activity across multiple sites and then, and to learn about citizens’ habits, and customs.

Other mechanisms available for digital identity protection are those based on the use of digital certificates. Although they are a solution with a high level of security, they have two main limitations. Firstly, they have not been widely adopted by end users, mainly due to the difficulty of use. Secondly, it can be a privacy-invasive solution, as it is not possible to reveal only the attributes of the identity needed to use a certain service, but it is necessary to reveal the identity in its entirety.

Often, public administration services are based on above-mentioned identity models holding even different and overlapping versions of the same digital identity, facing difficulties to ensure a single consolidated and verifiable digital identity system. This results in inefficient processes and disturbance for both end users (citizens and also businesses) and public servants, European Self Sovereign Identity Framework (ESSIF), largely because they are intended to be compliant with the EU regulations (GDPR and eIDAS), as well as to increase the outcomes impact among the Member States.

 

 

 

Aprobado en la convocatoria Transformative impact of disruptive technologies in public services (DT-TRANSFORMATIONS-02-2018-2019-2020).