The pros and cons of moving to e-IDs
EDRi member Epicenter.works give their position on electronic identity (e-ID) in light of the continues work on e-ID in Austria. They share that as convenient as the e-ID may seem and as much it is being communicated as the logical evolution of the classic ID, caution must be exercised when it comes to creating, storing and accessing sensitive identity data. Utmost caution is required when the private sector and the state use shared infrastructures for this purpose.
Austria has been working on an electronic identity – e-ID in short – for quite some time now. Recent discussions on this type of electronic identification have focused on the electronic driving license, which is to be introduced in spring 2021. The draft legislation proposed by the federal government provides for voluntary participation, so switching to an e-ID is not obligatory. The e-ID serves as technical basis and infrastructure for electronic identification. The proposed legislation will also entail changes in the passport and personal identification system, since the e-ID shall be issued together with a new passport or identification card. At this point we don’t yet know what the e-ID will look like precisely. In the passport system, however, it is supposed to serve as a verification of personal data. The endeavor falls within the areas of competence of the Minister of digitalisation Schramböck and the Minister of the interior Nehammer.
The draft stipulates that data may also be provided to third parties, if the holder of the e-ID expressly consents. What this means in detail remains to be seen as well and it depends on the specific design of the e-ID. At first, this feature shall be implemented for the public sector only, and not for private actors. Currently, there is a call for bids for this platform (wallet), which will make governmental identity data and other attributes such as student IDs or driving licenses accessible for the business sector too.
Logical consequence or pitfall?
As convenient as the e-ID may seem and as much it’s being communicated as the logical evolution of the classic ID, caution must be exercised when it comes to creating, storing and accessing sensitive identity data. Utmost caution is required when the private sector and the state use shared infrastructures for this purpose. Data security should play a central role here.
Apart from technical requirements which must be met by such infrastructures, our position includes a political and societal perspective. How is this system implemented and how invasively does it treat citizens’ data?
What we expect and what we demand
- We continue to advocate a decentralised, unobservable identity system. Individual processes of identification or login must not be registered in a central database. The analogue ID doesn’t generate a protocol of where it’s being used, therefore the e-ID must not cause a disadvantage in data protection in this regard. This can only be achieved by designing the architecture of such a system properly, for example by using cryptographic pseudonyms, which warrant so-called “unlinkability” (e.g. see here & here).
- In the case of public-private partnerships, i.e. access by private companies, use cases must be controlled strictly. Otherwise, identity theft and other identity-related crime and mischief cannot be avoided. If the only barrier to the dissemination of government identity data is the e-ID holder’s consent, and if consent must only be given once, then discount cards such as JÖ and all Austrian newspapers will soon be able to use our identity data for advertising purposes.
- Use cases for governmental identity must be evaluated by the data protection authority regarding data reduction and economy in advance. It would make sense to limit the purpose of all these use cases and to prohibit the transfer of data to third parties for the same purposes. Otherwise, it’s only a matter of time before it ends up with Google and Facebook too.
- Wallets must be certified. It must be legally and technically impossible to market wallets, which do not meet this premise. This software must be open source and – ideally – be published under a free license, so that everything is traceable and people with free operating systems are not excluded.
- There must be an easily accessible record of everything a user has consented to. If doable from a technical and legal point of view, there must be an option to revoke consent and to obtain information on data processed. If identity data is stored on personal smartphones, all data transfers can be recorded directly on the device.
- The e-ID must not undermine our right to use IT systems anonymously and pseudonymously. The government program clearly rejects an obligation to use real names as well as obligatory identification online. The government even stipulated the contrary: “Durchgängige Etablierung des Prinzips der anonymen Nutzung von technischen Infrastruktur-Systemen” which literally translates to “consistent establishment of the principle of anonymous use of technical infrastructure systems”.
We have already laid down parts of these demands in our parliamentary position paper in the review procedure for the 2017 amendment to the eGovernment Act. At the time, the debate only concerned the first use case. The legal basis for the current pilot projects has already been created. The pressure from the business sector has reached a level of intensity we have seldom seen in Austria before: banks hope to use the eID for their legal know-your-customer requirements as well as for fraud detection, mobile operators, who already possess identity data due to the registration requirement, intend to bring their own (very poor) systems into play, Austrian media want to utilise the eID for managing subscriptions and placing personalised ads, and – of course – Austrian trust service providers also want a piece of the pie.
The right-wing conservative party (ÖVP) continues to express a wish to introduce obligatory identification online one day, despite the fact that the Green party (Grüne) managed to negotiate this project out of the current government program. Lastly, the topic also has a European dimension, as the EU commission’s work programme also announces a reform of the EIDAS-regulation.
Without a doubt there are useful applications for electronic identity, and it should be possible to design a privacy-friendly system. Apart from issues of technical architecture, legal safeguards must be introduced – the current data protection law is insufficient for this purpose. Electronic identity is an important topic for the future, and therefore also for us. We’ll continue to be involved in the political debate and keep you updated on what’s to come.