When Bart Jacobs started doing some experiments at his department at Radboud University twelve years ago, the problems with anonymity on the Internet were not as great as they are today. “It had not gone off the rails yet,” says the professor of computer security, privacy and identity. “With threats, election manipulation and polarization.”
The experiments of the academics in Nijmegen were mainly driven by new technological possibilities. Cryptographic techniques had been invented to prove data online in a privacy-friendly way. Useful if you want to know whether the person you are chatting with online is really a doctor. Or the person you sell alcohol to is really older than eighteen.
Because lack of certainty about this is considered one of the flaws of the internet. It is often unclear online who you are dealing with and what the origin of information is. That leaves a lot of room for deception and makes doing business more difficult.
The experiments by Jacobs and his colleagues went well. The scientists built a kind of digital safe in which you can safely keep 'a secret', as Jacobs explains. For example, your most personal data, which you first retrieve from the government's basic administration and put in your digital safe, wallet or 'wallet'. Or what diplomas you have, what medication you use and what you earn. The authorities that provide the information can sign it in such a way that it is established that they are the sender and that the data has not been manipulated.
From that safe, the owner can then share that information specifically with a party that wants to know something. Without also providing all kinds of unnecessary information, which happens, for example, when you provide a copy of your passport. Anyone who has to check whether you are over eighteen only needs to be sure of that and does not also need to have your citizen service number.
Once Jacobs and his team had built the software, they felt it would be a shame to throw that knowledge away. The digital safes or wallets were placed in a foundation and later further developed together with SIDN, the organization that manages the .nl domains. The identity app they offer is called Yivi and is free. “We did and do this based on the idea that digital identity should be an open domain,” Jacobs emphasizes. “Not monopolized by private parties. Just like the IP infrastructure on the Internet is something that everyone uses for free.”
Trolls and stalkers
More than ten years later, citizens' need to protect their personal data has grown noticeably. As well as the need for authenticity online, says Tom Demeyer of Waag, institute for research into technology and society in Amsterdam. He lists: trolls, stalkers, men who join support groups for young girls because it turns them on. “If people want to continue to interact with each other digitally, more is needed than now.” He emphasizes that the technology makes it possible to verify claims that a user makes (about things such as age or education). It is not about abolishing anonymity, but about, for example, being able to check whether a user of a gambling site is really over eighteen.
Large tech companies also see this need from their users and companies. They try to play a dominant role in organizing and managing users' digital identities. The tension between private and public interests is far from gone.
Major online platforms, such as LinkedIn, Tinder or online marketplaces, now offer the option of being 'verified'. That is a step towards fewer fake profiles. They use other large companies for this. LinkedIn, for example, uses Microsoft's verification software, which is appearing in more and more places. And many other websites offer the option to log in via a Google or Facebook account. The websites that rely on it have outsourced the verification of the login details to these American tech companies. Anyone who uses this provides those companies with information that they can sell every time they log in.
It is a bit, Jacobs says thoughtfully, as if you have to go through a company gate at your front door to get onto the public road. “It's about power. The party that controls digital identity is supreme.” Because he can also close such a gate.
There are many different flavors in the market, which has grown in recent years. An ID wallet has been developed by Rabobank, which is being used in more and more places, called Datakeeper. And the Dutch banks play a role in online identification with a variant of the iDEAL payment system. If you log in via iDIN, the website will contact your bank to check who you are. The bank charges a fee for this.
The countermovement is now coming from Brussels. The European Commission is trying to curb the power of the large American tech companies in particular. It has been decided that all European citizens will have the right to keep and manage their own digital identity. Countries are required to offer at least one digital locker that meets the EU conditions. From 2026, companies, online platforms and government institutions will also be obliged to accept these safes as a way to identify users.
In the run-up to this obligation, the market is in full swing. Both governments and companies are building the infrastructure necessary to ensure that all the different online identification options communicate properly with each other. Four participants, from government to start-up, about what they build:
NL WalletA 'more extensive' DigiD
The Ministry of the Interior is working on the NL Wallet. You could see this as an 'advanced form' of DigiD, explain Tim Speelman and Katinka Petronia, who are both working on it. With DigiD (over 17 million users) people can log in to government services. With the NL Wallet they will soon also be able to sign digitally and share personal data. “For example, your diploma with a future employer,” Petronia gives as an example. You need DigiD to put data from government agencies in the app. In design, they resemble cards or passes with information that go into the digital wallet.
There is an important difference with DigiD. The NL Wallet is much more decentralized. The data contained within is kept in a secure environment on the user's phone. Although contact must be made with a central party to log in, it cannot see with whom the user shares data.
A demo version of the app now exists. The source code is online (open source), so that critics but also developers in other countries can inspect it. Speelman: “I hope that this sets the tone and that people will increasingly manage their data themselves, and that companies and organizations will ask for less and less unnecessary data.” The app contains a warning in italics at the bottom of the screen: always consider whether sharing is wise.
SphereonTechnology for digital evidence
Maarten Boender, with his software company Sphereon, builds technology for governments and companies that need to issue and receive reliable digital evidence. According to European rules, there are different categories. Proofs ('certificates' or 'credentials') of, for example, place of residence, marital status, income or age, but also medical data, may only be issued by parties that meet strict requirements. There are also less sensitive 'evidence' for a digital wallet. For example, something that shows that you are a member of a sports club or have paid admission for an event. The issuing party must digitally sign that proof so that the receiving party knows where it came from and that it has not been tampered with. Boender gives an example: “As an employer, we can issue such a credential or proof of an employee and his employment. He can then share this from his wallet with a bank for a mortgage application.” The difference now is that the employer cannot see with whom the employee shares that proof from his digital wallet. That is private. The same applies to the large amount of privacy-sensitive data that is now required when, for example, opening a bank account or renting a house. The reliability of the evidence is crucial for this and the software of the sender, the wallet and the recipient must communicate well with each other.
Boender is not completely at ease with the new reality. Privacy also requires self-control by governments and companies. The great danger is that they ask more data from citizens than is strictly necessary. And that they, tired by all the questions or powerless in the face of the government, unthinkingly press 'accept'. “Just like with cookies.”
Ver.IDIntermediary for all different wallets
The three founders of start-up Ver.iD are betting that builders of online stores and government websites will soon need an intermediary to be able to work properly with the many different identification wallets. Sten Reijers of Ver.ID explains: “What we do can be compared to the role of payment service providers, such as Adyen, Stripe or Mollie. If you bought something online, you are given the choice of how you want to pay. For example with Ideal, credit card, Klarna or afterwards.
This will soon be the case with digital identity wallets, because you have the freedom to choose which app you use on your phone. We facilitate as a species identity service provider then the exchange of data between the online service and your wallet.
Consumers probably don't notice it much, at most they see our logo occasionally. But it is nice for developers of online stores and services, because it is very complex for them to build their website in such a way that it can communicate well with all those different wallets. We want to become the platform for developers.
It is not one hundred percent what the European Commission hopes the new ecosystem will look like. They hope that no intermediaries are necessary. That doesn't seem realistic to us. It can become an implementation drama with so many different countries and so many different wallets. The data you share must pass through our platform, but we do not store it.”
YiviOldest identification wallet in the Netherlands
Yivi is the oldest identification wallet in the Netherlands. The app, which you put on your phone, was previously called IRMA. It was devised at Radboud University and subsequently developed by programmers paid by SIDN. The app is free. About 150,000 Dutch people have downloaded it. “We have shown that it is possible,” says Bart Jacobs proudly. “We have thus had influence on policymakers in The Hague and Brussels.”
There are two important principles behind Yivi, Jacobs explains. The application is built in such a way that you never have to share a lot of information unnecessarily. If you want to prove that you are old enough to buy alcohol, the app will give a positive answer to the '18+ question', but will not share the rest of your passport data, such as your name and BSN number. That principle is also the starting point for the apps that the European Commission wants for citizens.
Yivi is also decentralized. The data it contains is only on the user's phone. There is no copy in a central database. It is not yet clear whether the European Commission and the Ministry of the Interior in the Netherlands will also adopt this requirement. Jacobs has a clear preference, as can be seen from his rhetorical question: “Suppose the Chinese government chooses a login system. What do you think they are going for? They choose centrally, then they can see where people go online.”
#Share #data #securely #digital #identity #39wallet39 #phone
