CVS Health was involved in this year’s Identity Week America as a healthcare entity invested in enhancing digital systems used by the medical profession to deliver a quality standard of patient care services. This interview starts by asking Abbie Barbir, Senior Security Advisor and Co-Founder of ADIA, at CVS Health whether driving public sector funding and budgets would have an impact on improving cybersecurity so that communication portals between the patient and profession and third parties can not be compromised by any bad actors.
The sector needs to assess what the new threats and deficiencies are while digital identity is evolving to increasingly bind the patient to their personal data.
Preparing to meet the 2025 REAL ID deadline in Georgia – Spencer Moore, Commissioner at the Georgia Department of Driver Services
With the minimum security standards for REAL ID looming in May 2025, Spencer Moore, Commissioner at the Georgia Department of Driver Services, sits down with me for Identityweek.net to discuss the proactive stance the state of Georgia has taken since 2012 to establish integral identification cards.
As the U.S. does not possess a national ID, more pressure is piled on individual states to ensure the fabric and foundational structure of ID licenses and documentation – from the physical card to its security features – has credibility, converging with interoperable standards.
Georgia has sought to equip residents with REAL ID driver licenses as holders to essential services and identity assurance.
99% of citizens in Georgia are REAL ID compliant. Mobile Driving License adoption in wallets, which was introduced in Georgia in May of this year, has identified 250,000 people that already have the application in their wallets.
Hear about their mobile license integrations with Apple and Google that are proof that Georgia is ready for the May 2025 deadline.
Axon Wireless, a technology solution company specializing in large-scale customer enrolments for telecommunication and financial services in developing markets, and TECH5, an innovator in the field of biometrics and digital identity management, announce their partnership and technology integration. Axon Wireless has incorporated T5-AirSnap Finger, a patented contactless fingerprint biometric capture and liveness detection technology from TECH5, powered by AI and deep learning, into their remote eKYC application for self-enrolment, as well as its biometrics handheld terminals COMET-10 and COMET-20.
The integration of T5-AirSnap Finger enables Axon Wireless to offer customers a fully remote solution, allowing for biometric capture and verification, as well as document authenticity checks. First, a customer uploads their ID document, which is read by optical recognition technology and tested for authenticity. The application then sends a request to the Ministry of Home Affairs to determine which finger of the user should undergo biometric verification against their biometrics stored in the ministry’s database. Once this information is received by the application, it prompts the user to present the selected finger for contactless capture and verification of its fingerprint. T5-AirSnap Finger captures and prepares biometric data for further processing, ensuring compliance with interoperability standards within seconds. During biometric capture, T5-AirSnap technology performs liveness detection, ensuring the finger is real and not replaced by a photo, video, or an artificial finger with a copied fingerprint, thereby excluding the possibility of a spoofing attack and ensuring the integrity of the process. The captured fingerprint is then submitted by the Axon Wireless platform to the Ministry of Home Affairs for verification.
Following biometric verification, Axon Wireless can implement any business process required for the selected use case, including SIM card registration, opening a bank account, and more. “We are very impressed with the fingerprint matching rates and comforted by the anti-spoof capability offered by the T5-AirSnap. We have evaluated many technologies, but certainly, TECH5’s focus in this space is paying dividends in its result.” – Comments Justin Lipshitz, CEO at Axon Wireless.
Ameya Bhagwat, Senior Vice President of global sales and business development at TECH5 commented: “We are delighted to announce our partnership with Axon Wireless and are looking forward to empowering customers in MENA and other regions with a fully automated, inclusive system, ensuring fraud prevention and allowing users to access services in a fast and frictionless manner.”
The partners plan to provide this new offering enhanced by contactless fingerprint capture capability for testing in several countries in the MENA region within the next month.
Ofcom criticised for sharing news that company finally deploys age assurance technology through its enforcement programme, 3 years after law was passed
Ofcom has been challenged by the Age Verification Providers Association for crediting its enforcement programme for age assurance, as it announced a major UK adult video sharing site, TAPNET, has just implemented age verification measures, three years after the law making it mandatory was passed.
“Kudos to TAPNET!”
Jessica Zucker, Director of Online Safety Policy at Ofcom, was criticised for promoting the company’s late compliance with age verification legislation which the AVPA campaigns to ensure exists across regulators, governments, companies and the market force of age verification technologies.
She commented on the “positive outcomes of constructive regulatory engagement” between regulators like Ofcom, in the media and digital domain, and digital services. The accusation was levelled to the Online Safety Director that companies should comply with their responsibilities to keep children, in particular, safe online before regulatory intervention is necessary.
Ofcom opened an enforcement programme in January to identify UK digital video-sharing sites which operated without complying with the standard for age assurance for users. Whilst seeming to crack down on the visibility of adult content sites to young users, the news of TAPNET implementing the changes enforced by Ofcom only comes to light now despite it approaching nearly 1 year since the investigation was opened on 10 January 2023.
The fact that a law has existed for three years shows no urgency of regulators or companies. Ofcom “considered” the measures that platforms had implemented to gain “assurance of the age of their users and prevent “under-18s/ minors from watching pornographic videos” online, which indicates a divide of companies not complying with the rules as next iterations of the internet like WW3 emerge.
The analysis of RealMe – TAPNET’s pornographic platform – did raise some concerns, Ofcom said, regarding ineffective measures to protect and verify underage users using their service, however the “period of close engagement” to enforce compliance with its requirements still suggests not enough was done soon enough and to avoid intervention.
The comment in retaliation to Ofcom’s press release on LinkedIn argues that “if this approach is taken to the Online Safety Act (by all companies), it would be 2028 before better protection for children is offered online”. This would mean child protections in online spaces would be in fact delayed in practice 7 years behind the ICO’s Age-Appropriate Design Code of 2021, as required by the Data Protection Act (DPA) 2018.
The Code is enforceable under the UK GDPR and DPA laws and imposes a set of standards that must be met by the design of online services in the best interests of a child.
Ofcom’s role is to meet the legal provisions in Part 4B of the Communications Act 2003 to ensure video-sharing platforms (VSPs) based in the UK “have appropriate systems and processes in place to effectively protect their users from harmful video content in the scope of the VSP regime”.
Ofcom also noted that since January the programme worked closely with platforms to better understand their “approaches and any challenges they faced when considering implementing age assurance measures”. Whilst not responsible for creating the law, they had demonstratable powers to enforce sites’ compliance with the requirements for age assurance solutions and show no tolerance for excuses.
The assessment drew conclusions about the lack of meaningful measures enacted in Schedule 15A of the Act which should have better protected users under the age of 18 from videos containing restricted material, specifically pornographic content.
Arguably only being forced to make the changes with intervention, TAPNET did however in the wake of Ofcom’s report obtain the assurance of the age of RevealMe users by requiring age verification upon entry to the site or authentication through a validated and registered account. The site could not implement a third-party automated age verification tool to the timeline Ofcom require to verify valid user identification documents.
The statement also said: “Tapnet quickly introduced its own interim age verification measure until its longer-term solution was ready to go live”.
Ofcom concluded the company’s “willingness” to address their concerns and “desire” to protect users led them to decide no further investigation was needed. Ofcom overlooked earlier action taken against TAPNET for failing to respond to a freedom of information request, but said it would continue monitoring the site.
On 29 September, 2023, Ofcom announced the extension of the enforcement programme for a further 3 months, expected to end in December. Notified and non-notified adult VSPs were assessed, some gaining certification and others not.
Cypriot digital onboarding project for credit institutions awards tender to owner of KYC Portal, Aqubix
The Central Bank of Cyprus which is embarking on a new digital onboarding project has offered a tender to two companies, Aqubix Ltd and Infocredit Group Ltd. The joint collaboration will implement Aqubix’s KYC portal, which supports regulatory compliance and risk management for customer onboarding, and data capabilities to protect existing and new credit customers.
Aqubix boasts solutions to store and retrieve big data which enables the financial sector to operate in a consumer-empowered economy and assess risks. Without the need to visit physical branches, customers of credit institutions across the Cypriot banking landscape can easy onboarding, secure verification and authentication to give banks full assurance of knowing their customer. The agreement has secured a myriad of banking institutions onboard including the Bank of Cryprus, Hellenic Bank, the Cyprus Development Bank and Eurobanks with the support of the Bank of Cyprus governor.
Web3 Foundation, the launchpad for the Polkadot blockchain protocol, has announced new applications to grow their Decentralised Futures Program.
Raising over $45 Million USD for 2024, the initiative’s objective is to encourage more investment to support the growth of connected blockchain systems for the next iteration of the internet. The funds will be channelled into teams and individuals working to scale projects for the blockchain ecosystem and explore decentralised data models.
Newly appointed Chief Executive of the Web3 Foundation, Fabian Gompf, commented: “The Foundation believes its strongest asset is the community itself. The decentralized Futures Program doubles down on this belief, allocating sizeable investments and grants that can accelerate the growth of decentralized technologies. By empowering our community to lead the next phase of the development of Polkadot we are tapping into the diverse capabilities of our community, and moving away from centralized stewardship of the protocol. In doing so, the program represents a meaningful step closer to realizing the fundamental vision of the Foundation: creating a decentralized internet where users control their own data, identity and destiny”.
Norwegian authorities are imposing a temporary ban on Meta companies – Instagram and Facebook – for targeting personalised ads to their users using their personal data. The adverts are driven to specific users by behaviour insights based on their region and online activity.
Meta’s data use has been probed by regulators before like the Court of Justice in Luxembourg and Irish Data Protection Commission. The 3 month ban, which commenced in August, will still allow Meta to power personalised campaigns to users however users must have given consent in their ‘about me’ section.
Social media platforms have flouted GDPR regulations since 2018, according to SurfShark with Meta’s fines eclipsing $2.5 Billion. If Meta fail to comply they will be handed a hefty fine of 1 million Norwegian Krone.
Brian Broderick shares what impact daily fraudulent applications have on the USCIS, where fraudsters feel emboldened to apply for legitimate citizenship using false identities and passport photographs. This interview, captured at Identity Week America 2023, also delves into the growing number of fraudulent interview appointments.
However, with the USCIS successfully delivering thorough checks of evidence-based documents, no stone is being left unturned when assessing applicants’ full immigration journeys. Hear about data privacy, including for vulnerable populations and lots more!
The UK government has made a series of changes to the Data Protection and Digital Information Bill which it calls “common sense” to prevent fraud and protect the public.
Transparency over data in general is emphasised in the changes to enhance cooperation with the government to tackle common benefit fraud. The government will require third parties such as banks and financial institutions to be fully cooperative on sharing mandatory data.
And privacy concerns are still taken seriously by the government’s own standards, meaning only a necessary amount of data will be accessed and “only in instances which show a potential risk of fraud and error”. However, it is clear the government desires more control over data available to them in the private sector to quickly detect fraud within government operations.
The government’s aim is to reduce benefit fraud and safeguard up to £600 million of tax payers money over the next five years.
Anti-terrorism police will also possess additional powers under the amended bill to enforce the collection of biometric data, such as fingerprints, from foreign criminals to enter into the national police biometric database. The data shared by INTERPOL will be able to be retained indefinitely just the same as for convictions secured in the UK.
Secretary of State for Science, Innovation and Technology, Michelle Donelan, said:
“These changes protect our privacy and data while also injecting common sense into the system – whether it is cracking down on cookies, scrapping pointless paperwork which stifles productivity, tackling benefit fraud or making it easier to protect our citizens from criminals”.
Is AI Act bowing down to “European wannabe AI foundation models” with compromises? Experts have their say on these companies scuppering innovation.
The big tech firms rallying together against the EU’s AI Act, which they argue is “over-regulating” powerful foundation models like GPT-4, also known as General Purpose AI, will almost certainly be disbanded. These companies lobbying against the type of strict regulation contained within the AI Act are in danger of negating what the Act set out to achieve.
Throwing out the proposal, Axel Voss, Member of the European Parliament for the Cologne/Bonn region (CDU), said the regression of the Act on Foundation Models in favour of such minimal “mandatory self-regulation” would require the same insufficient benchmark for standards on issues like “transparency, cybersecurity and information obligations”, standards that are well-defined in the Act.
He suggested on social media the proposal was backwards, non-sensical and would dilute necessary strong regulations to manage all AI technologies, including the advanced models of General Purpose AI which power the famous generative chatbot, ChatGPT.
He also said: “The regulation of #AI has a global dimension, even the US executive order calls for it. We cannot fall behind. Of course, I have always said and maintain that we should not over-regulate. But we cannot simply ignore or downplay the risks that come with it, including on foundation models”.
The attempt to derail the AI Act which is entering its final phase to be implemented came on Nov. 23 when a letter was written to the EU Commission trying to protest against “harsh” regulations. The letter was undersigned by 33 companies, allegedly containing supporting data that only 8% of EU companies use AI. The commotion of Chat GPT and OpenAI is only evidence that AI innovation is happening worldwide, but it’s innovation, carrying significant harms too, needs to be carefully managed.
MEPs also assembled a close ring defending stricter regulation for those powerful AI models. After initial consensus on a tiered-approach, the mediation with techs derailed even more seriously when German, French and Italian governments seemed to take the oppositions’ side, pushing back on obliging to the Act’s stance on foundation models. This recommenced the chaos within Parliament.
Axel Voss has equally shared his view that the Parliament has bowed to AI Act protesters in this way with a final Act looking to be diluted.
He argued for what impact no AI Act would actually have on companies:
“Such outcome of the AI Act negotiation would dump all the regulatory burden and compliance cost to the companies downstream: those that train foundation models to develop AI applications for specific use cases. These are mainly SMEs. Frankly, I do not understand this”, he wrote. It makes the compliance requirements for innovative companies even harder to meet.
“It makes Europe even more dependant on a handful of, mostly foreign, dominant players.
Isn’t it better, even for the EU’s aspirant AI champions like #Mistral and #AlephAlpha, to work with the regulators and outcompete #OpenAI and the rest with products that are designed with inbuilt compliance?” he continued.
Companies are just played the “narrative of BigTech against the DMA” in wanting to be similar European wannabe AI foundation models rather than seizing the opportunity to join forces with the regulators.
A digital wallet produced by fintech company, RD Wallet Technologies, will integrate banking and e-commerce applications that enable traditional cross-border payments to be made as well as crypto.
Digital wallets have a fragmented place amongst Hong Kong’s cash-legacy economy much like mainland Europe and the rest of the world excited about wallets but still fine-tuning their openness on standards and technical interoperability while even navigating the potential to intermix real and cryptocurrencies.
With 9 in 10 consumers having used a digital wallet, China has been just as receptive to digital credentials but enwrapped in the necessary licensing requirements.
A taskforce was first assembled in 2014 to study a course of direction for the development of a Central Bank Digital Currency (CBDC) and Hong Kong’s readiness in issuing a CBDC to retail and e-commerce set the trend going across the world. The Hong Kong Monetary Authority in 2022 embarked on the e-HKD Pilot Programme, which called on participants for prototyping and testing of electronic versions of bank notes within the e-wallet entity to make any retail purchases.
Just in October 2023, the HKMA formed the CBDC Expert Group for creating policies and nurturing technical cohesion of cryptocurrencies across wallets through partnership and knowledge exchange on CBDC research. This
With no national wallet, bankers like the fintech founder, Norman Chan Tak-lam, or other firms focused on stablecoins or Web 3.0 could emerge in the near future, but China is looking to stabilise the emerging digital banking space at least by 2024.
The RD Wallet will see other fintechs pushed to innovate China’s economy further into a financial capital of the world, converting multiple dominant currencies: the Hong Kong dollar, the yuan, the US dollar, the yen and the euro.
A stored-value facility licence for the RD wallet came into effect in December, giving the final approval from the Hong Kong Monetary Authority (HKMA) in April.
“While the rapid evolution of generative AI (Artificial Intelligence) brings new possibilities for creative expression, it has also led to growing concern about the impact of altered or manipulated imagery in journalism,” said Yann Salmon Legagneur, Marketing Director, Imaging and Product Solutions, Sony Europe.“The dissemination of false information and images has real world social impact that brings harm not only to our photojournalist and news agency partners, but to society as a whole. We care deeply about this challenge and are committed to using our resources to help solve it. Through Sony’s work on the steering committee for C2PA (Coalition for Content Provenance and Authenticity), we have helped set the current industry standard for the tracking of editing and manipulation of imagery. Additionally, our in-camera authenticity technology has shown valuable results, and we will continue to push its development towards a wider release.”
“Fake and manipulated images are a major concern for news organisations. Not only do they contribute to mis- and disinformation but ultimately, they erode the public’s trust in factual, accurate imagery,” said David Ake, AP Director of Photography. “We are proud to be working alongside Sony Electronics to create an authentication solution that can help combat this problem.”
“We appreciate the significant challenge that manipulated imagery poses for our partners, and we are highly motivated to play a role in helping solve it,” said Dennis Walker, President and Founder of Camera Bits. “Photo Mechanic has been used by the photojournalism industry for 25 years and continues to evolve as the industry introduces new technology. We are committed to ensuring Photo Mechanic remains a trusted and authentic workflow solution.”
Datakeeper, digital wallet app that boosts the real estate sector for KYC procedures and mortgage applications, is to break away from its parent company, Rabobank.
The privatisation signals the growth and standardisation of Datakeeper since being launched in 2017 as a privacy-minding wallet solution to share mortgage applications with sellers, estate agents and other parties. The Rabobank powered start-up is built on a set of KYC and credentialing procedures to securely verify the identities of all parties involved in mortgage applications.
Taking to LinkedIn, Marnix van den Bent, Co-Founder and CTO of Datakeeper announced: “I am thrilled… that the Rabobank spin-off Datakeeper Nederland now continues as a separate company! As CTO I will continue to deliver top-notch tech that exceeds our scaling ambitions”.
Whether applying for a mortgage or renting a car, the Datakeeper app ensures the applicant’s personal details and financial information is protected through a self-sovereign data exchange.
Separating the two company’s operations will allow other organisations to support its development to standardise transactions made through the wallet application.
In a secured verifiable transaction, the verifier receives “all the data he wants about a client in the best way that’s possible – structured, semantic and signed”.
As well as prioritising a decentralised solution, where Datakeeper cannot access any of the applicant’s data, privacy means enabling the customer can have selective disclosure of their private information which the company takes extremely seriously.
Datakeeper promises that the customer does not “have to share a whole document containing for example their social security number” for third-parties to trust the “correctness and actuality” of data shared to them.
“The privatisation of Datakeeper will allow us to focus on our core banking services while granting Datakeeper the autonomy it needs for specialized growth and innovation”. – John Doe, CEO of Rabobank.
“Rabobank aims to unlock new market opportunities, attract strategic investors, and foster dedicated innovation in the data management sector”.
We may be witnessing the revival of the US state’s relationship with Silicon Valley tech firms for capital surveillance.
AI guru Sam Altman, creator of Chat GPT at OpenAI before his shock dismissal this week, is an investor of a number of Silicon start-ups developing drones.
Skydio is a Silicon Valley firm deploying artificial intelligence to make self-operating drones and one of the contractors engaged by the New York Police Department, as well as another start-up, Brinc, where Altman is an investor in night-vision camera surveillance.
“The state is dragging itself into the digital age”, The Economist writes, in order to be seen to deliver national security of its infrastructure and invade more civilian lives.
“Techies are also selling tools to help law enforcement make better use of the profusion of images and information now at their fingertips”.
“Surveillance is likely to remain lucrative, not least because governments are not the only customers for these technologies”.
Denny Prvu: Royal Bank of Canada being multi-faceted on fraud, and traditional banks versus emerging bank responses
Taking us through the modern landscape of financial services, comprising of traditional and challenger services, Denny Prvu, Director of Architecture – Innovation and Technology, Royal Bank of Canada, gives his view on whether responses across the sector are immediate to customers reporting fraud incidents.
Emerging banks wanting to adapt to remote services versus the face-to-face model that legacy banks want to sustain determine different ways of how the financial sector tackles fraud today.
Find out more on new Know-Your-Customer (KYC) protocols for customers and employers and lots more in this full 4-minute interview for Identityweek.net at Identity Week America 2023.
The dates for next year’s event have already been announced! On 11-12 September 2024, plans are already underway to bring you an even bigger forum for 4,000 leaders in the identity industry. Look out for more details!
Luxembourg will perform four pilot use cases of the EU’s proposed digital wallet spanning public and private sector applications, such as eGov services.
The proposal is led by the EU Commission which delegates use cases to the POTENTIAL Consortium (Pilots for European digital Identity wallet). Luxembourg is a member of the Consortium.
Over 26 months of the running pilot scheme, countries will test the effectiveness if they launched their own digital wallet saving digital credentials onto their mobile device, which could open up easier digital banking services, eGov services, mobile driving licences and legally signed digital documents. While the EU digital identity proposal, eIDAS, may seem imposed on member states, ongoing partnership still needs to establish if tested solutions can be implemented on a large scale for EU-wide citizens, not just individual countries, ensuring technical interoperability and standards at a European level. Doubts over privacy and data ownership have also been entangled in the recent amendments of eIDAS regulations, which were accepted last week.
The Ministry for Digitalisation and the CTIE will participate in testing the national digital wallet against variables like speed and efficiency when verifying and onboarding a citizen to access government services. The merits of having a digital bank account that can be opened securely and seamlessly with a digital identity go far beyond the financial services to enabling unlimited access to everyday services.
Moreover, their pilot will scrutinise the benefit of having electronic driving licences integrated in their digital wallet to present to police forces or recognised by car rental agencies throughout Europe. The integration of a “Qualified eSignature” to sign digital documents that have legal value also serves the EU citizen wherever and however they want to transfer an e-document to a constituent like an employer.
Enabling citizens to sign documents remotely – if interoperability is achieved across Europe – should be recognised by all Member States when the EU digital identity wallet is implemented. The EU Commission’s objective is to evolve these national digital ID apps to integrate eIDAS protocols and standards.
The second revision of the eIDAS regulation aims to provision at least 80% of citizens of European member states with an open, interoperable digital identity solution by 2030.
POTENTIAL, which is fully aligned with eIDAS, call upon 140 public and private members from 19 Member States of the European Union to solve technical, business and regulatory issues around providing a digital identity.
Solving the authentication problem would have an immediate and significant impact on improving cybersecurity worldwide. So has a garage-level tech start-up based in Austin done just that?
The Trust Nexus (https://www.trustnexus.io) claims to have solved the authentication problem without the passkey, ensuring the longevity of passwords that still remain a popular authentication method for users. The company is not following FIDO’s consensus of passkeys over the password. The technology has been notably recognised for ensuring simple passwords become highly secure on trusted systems and that the user’s private key stays securely on the user’s mobile device.
In FIDO Passkeys (Microsoft, Apple and Google) the operating system controls the user’s private key and it can be transferred to other systems through the user’s account. It also means that Microsoft, Apple and Google have access to your private keys (and data metrics on every application you use).
Some of the key aspects of the technology:
- It is open-source and mostly free (they retain the rights to cloud based services).
- It can be run as a closed ecosystem within a corporation or government agency
- Eventually, for three party digital credentials (finance, insurance, government services, etc.) there will be a worldwide identity ecosystem, that surprisingly will not contain any private user data.
Trust Nexus are attempting to form a research consortium that will first perform an in depth technical review and then deploy a POC.National Cybersecurity Center of Excellence: “At the NCCoE, we bring together experts from industry, government, and academia to address the real-world needs of securing complex IT systems and protecting the nation’s critical infrastructure.”https://www.nccoe.nist.gov/They also hope to engage some of the major players in biometrics, which can be integrated into their digital credentials.Their dream scenario is to engage major financial institutions, leading universities and key government agencies; most notably, the
The change over to digital immigration status documents looks set to accelerate in 2024.
Starting with more trusted assurance of someone’s real identity during the application process, a common loophole which fraudsters take advantage of, the UK’s scheme will be massively improved by implementing digital documents.
eVisas already exist within the UK immigration system, however, in the new year a bigger tide of changes to make digital visas permanent as part of the EU Settlement Scheme will get underway.
The changes will be constant throughout visa applications, to entering the UK border and evidencing a legitimate right to work.
Positive impacts will also be felt by international recruitment by being able to identify eligible workers more effectively who can add value back into the economy. The e-visa will be more robust and secure to reduce counterfeiting unlike a physical document, as well as reduce waiting times to physically collect a visa in-person.
The trust and assurance that digital provides generates convenience and better processing at border controls.
Throughout 2024, all relevant visa holders – skilled workers first – will be contacted to register an UKVI account and switch to an e-visa, which their relevant information can be shared on securely to third parties and constituents like employers.
Applicants will be able to update personal details, such as passport information and work history, and provide access codes to potential employers to demonstrate their right to work.
An EU MP, Rob Roos has publicly cast doubt over Europe’s stance on digital identity as regulation changes to eIDAS were approved last week. Roos said digital identity is an ‘instrument nobody asked for’ which has been pushed down from the top parliamentary authority, in an interview for Sky News Australia.
With new digital ID wallet pilots just announced in Estonia and Luxemburg, digital identities have become a crucial part of delivering government mandates for digitalisation, social inclusion, economic stability and promoting innovation. The amendments to Regulation No 910/2014 have been promoted as going to ‘harmonise conditions’ around decentralised data ownership for citizens in the EU’s proposed digital identity framework, but since being legislated in 2014, there is no doubt eIDAS’ role in governing the widespread use of digital identities.
Critics opposed to eIDAS put forward the adjoining argument concerned with privacy, as well as delivering social inclusion for citizens who will have more access to public and private services. Both a challenge of and a perspective on eIDAS is that the EU has been pushing and driving for a cross-border digital identity which is accepted by international organisations and financial institutions. At a cost, those who reject eIDAS believe it enables governments more than citizens in the capture of more data used to monitor how people are interacting with government and private services.
The definite direction towards digital raises potential concerns for citizens’ privacy when they can bypass verifying via a commercial provider to use their own wallet storing their digital credentials. A disconnect with verified physical identity appears even greater and opens the increased risk of identity-related fraud and cyber crime.
The digital identity is sold as a solution for ‘convenience’, enabling people by 2023 to access key services online, electronic medical records and hold an eID.
“When governments have access to infrastructure, they will use it. Always”
Whilst setting out milestones that digital identity will help achieve, the communication around eIDAS built upon the 2020 strategy for Europe’s digital future has not addressed problems such as how companies will often access more personal data than they require for verification by requesting digital identities. Moreover, citizens’ personal data is not safe. The eIDAS framework proposes to ‘govern’ currently 19 national eID systems implemented by 14 member states, which all follow “varying standards” and “focus on a relatively small segment of the electronic identification needs of citizens and businesses”.
Moreover, there is currently no requirement for all EU Member States to develop an national eID which is interoperable and open with eIDs developed by other member states where partnership would be necessary. More broadly, regulatory EU bodies have not converged standards and certifications ensuring compliance of all technical solutions in the market for digital identity verification. For example, while in the UK the Digital Identity Trust Framework makes recommendations on the trust assurance qualities of any digital solution, there is no current passed requirement enforced by the Home Office for certification of third-party digital verification solutions.
The “Updating the European digital identity framework” briefing report, produced by the European Commission, includes the views of an expert group on eID and know-your-customer (KYC) processes that recognised that “national regulatory bodies across the EU have different standards regarding the compliance of technical solutions for digital identity verification”.
“Meanwhile, identification and authentication means developed by the private sector outside the eIDAS framework can only go so far in responding to the challenge. User friendly third-party authentication services (for instance, using a Facebook or Google account to log in to different services) are common for accessing unregulated private online services that do not require a high level of security, but they cannot offer the same level of legal certainty, data protection and privacy, mainly because they are self-asserted and do not provide a link to trusted and secure government eIDs”.