Preventing Abuse of Digital Identities Credentials

APIs that facilitate access to verifiable claims about identity, such as the proposed Digital Credentials API , are starting to be developed and deployed. National digital identity systems are being legislated in a A large number of jurisdictions. jurisdictions are starting to create digital identity systems for their citizens. The Federated Identity Working Group includes this an API for accessing these systems as a chartered deliverable.

These Digital identity APIs represent provide a convenient way for websites to access proof of legal identity, backed by large-scale government projects in multiple jurisdictions. identity. This convenience leads to a range of implications for privacy, as noted in a recent objection to the formation of the Federated Identity Working Group. Group [ OBJECTION ].

A number The TAG believes that the addition of serious concerns were raised government-issued digital credentials to the web has great potential to cause the harms listed in this the objection:

• Increased sharing of personal data and corresponding reduction of privacy due to reduced friction for sharing such data.
• Increased centralization of trust on the Web.
• Increased restriction of the ability to publish, view, and participate on the Web, and corresponding fragmentation of the Web as a whole.
• Reduction of user agency and perpetuation of existing societal power imbalances.
• Expansion of use cases such as age verification where credentials may be requested or required inappropriately or coercively, raising concerns about government or platform overreach.

A The report produced by the W3C Council [ COUNCIL-REPORT (which included members of the TAG) found ] also acknowledged these concerns to be serious problems and valid. Despite this, the working group was allowed to form, though the council report recommended included a recommendation that the group seriously consider these factors as they develop concerns be addressed in the API. work of the Working Group.

The TAG believes that the addition of government-issued digital credentials to the web has great potential for harm.

The benefits of digital credentials must be aligned with the web user's needs . Following our established principles for privacy , this includes providing people the tools to understand and control how their personal information is collected and used. A browser — or user agent — plays an essential role in mediating these types of requests and ensuring that people have agency.

The web should not become a platform that demands your government-issued identity documents, in the course of its normal operation. Use of such credentials should be exceptional, only when required, and always on a person's own terms.

The TAG therefore encourages contributors to pay special attention to the societal impact of digital credentials.

Before examining the harms, it is important to understand why sites seek identity information from visitors. There are multiple reasons that a site might seek to ask for proof of legal identity. Often, there are multiple reasons that a site seeks to identify a visitor.

Motivations that tend to produce user-beneficial outcomes include:

• Obtaining some means of holding a person accountable for a range of abusive behavior.
• Avoiding impersonation, especially for social media accounts of prominent individuals or organizations.
• Legal mandates, such as know-your-customer regulations common to financial services.

These uses are not necessarily directly felt by people who are required to present credentials, but they can provide a societal benefit that outweighs the costs to individuals. Each of these still carries the potential for abuse.

There are also motivations for which requesting identification is not justified and those that are outright harmful to end user interests:

• Distinguishing between visits from real people and visits from bots, which might need to be handled specially.
• Obtaining some means of holding a person accountable for a range of abusive behavior. Avoiding impersonation, especially for social media accounts of prominent individuals or organizations. Personalization, such as being able to appear more friendly by greeting a person by their name.
• Tracking, which takes identity presented to multiple contexts and links that activity to a single person.

This list That is, while at least some of these goals are beneficial, the use of identity documents is far from exhaustive. Often, there not appropriate. Any benefits are multiple reasons not justified by the cost that a site seeks people pay in terms of losing their ability to identify a visitor. control the identity they present [ PRIVACY-PRINCIPLES ]. Other goals are inherently objectionable.

Once someone has provided an identifier, legal identity, sites are technically able to use identifiers in any way they choose. Technical privacy protections that might be implemented in a browser cannot help. Legal protections might apply to misuse of identifying information, but that depends on effective detection and enforcement.

Tracking practices are moving away from largely hidden mechanisms — like cookies — to systems that require the use of stable identifiers. Once identifying information is provided, sites might then assume that they have consent to use identifiers for a range of purposes. Of course, without a viable alternative, any consent to use identifiers is a fiction.

Perhaps the most serious consequence of obtaining an identifier is that sites are then able to trade information across any site contexts where a person has provided that same identifier. This enables tracking, a form of surveillance, where people their activities across multiple contexts, both on- and off-line, gathered into profiles. These identifier, online or offline. The resulting profiles are then used for many purposes including advertising, credit ratings, and market analysis.

The TAG has long regarded regards unsanctioned tracking as unacceptable and has advocated for technical measures that curtail these practices. Notably, the The TAG has also unequivocally condemned cross-site cookies and called for browsers to disable them . Positive trends from browsers in recent years include a range of other technical measures, including reductions in fingerprinting, state partitioning, and navigation tracking mitigations .

These technical Technical measures to prevent tracking are consistent with the TAG's documented principles for privacy . These principles articulate why privacy is essential to maintaining personal autonomy. The same high-level principles are shared by the many jurisdictions that have implemented data protection legislation. The goal of data protection is to protect a person's rights over how data about them is used.

In part due to these protections, tracking practices are moving away from largely hidden mechanisms — like cookies — to human interactions based on consent. That is, sites ask people Absent the ability to identify themselves. Once identifying information is provided, request legal identity, sites might then assume that they have consent to use that information ask for a range of purposes. Identity information might be provided as other identifiers, like an email address address, credit card, mailing address, or phone number. However, more sites also seek to obtain legal names or other identifying information. Unauthenticated systems might Those identifiers could offer people the ability to choose how they wish more privacy options, to be identified. varying degrees. For instance, email services that can provide temporary or site-specific aliases offer a way to create wholly-new or site-specific identities enable the creation of context-specific addresses on demand. The same Similar aliasing is achievable for other types of identifiers that are in common use, though it can be both significantly harder and more expensive. No such flexibility is not an option possible when providing a it comes to legal identity.

A streamlined process for providing verifiable identity reduces the cost of requesting and providing that information. In turn, this might will make sites that would otherwise not ask for information choose to take advantage of reduced friction to make a request.

Though increasing friction might not be worthwhile, other mechanisms might be used to disincentivise requests for legal identity. A method that might alter the costs for site operators is described in 4.1 7.1 Authorizing Sites .

The architecture specified in the European Union’s digital identity eIDAS regulation envisions not only Normalizing the issuance practice of digital providing identity credentials to individuals, but also the explicit authorization websites risks serious harm. Providing any form of businesses and service providers that will request those credentials. These entities (known as "relying parties") must be registered and approved by external identity issuers, before they are granted permission to request only specific types of information. This design is intended to ensure that businesses and agencies cannot request arbitrary personal data, and that their ability to do so is constrained, transparent, and subject to oversight. This depends on having a system for transparency: relying parties should provide information regarding the data that they will request, if any, in order needs to provide their services and the reason for the request. be an exceptional process.

Transparency contributes to accountability by making For example, it possible for users to understand who is asking for what, and under what legal authority. This safeguard mitigates against some of the risks associated with digital credentials. However, it does not eliminate the need for scrutiny, particularly with regard to proportionality of use, user control, and the risk of such mechanisms becoming normalized across the web. Nevertheless, we recommend that the specification authors look entirely inappropriate to such mechanisms use government-issued credentials as a guide for mitigating potential harms in this area. login credential, even if credentials are used during account creation.

Online services that have real-name policies are justifiably controversial. These systems have historically resulted in excluding certain people, often due to people having names that systems do not recognize. The use of legal identity provides very different social dynamics when compared with pseudonymous or anonymous systems.

A system that relies Insistence on use of legal identity inevitably excludes certain people, which can be for a central authority is unlikely to replicate the same failures. New risks range of exclusion arise: reasons:

• Sites that only recognize credentials from local authorities could unjustly exclude people from out of town, either temporarily or permanently.
• People might wish to remain anonymous for any reason, including fear of harm to their reputation or person.
• People might temporarily lose access to credentials because of a lost personal device or temporary disability.
• People might be completely unable to obtain or use credentials.
• Systems that include the ability to revoke credentials can be abused by attackers to forcibly exclude people.

In some cases, such as Aadhaar, Aadhaar ( 5.1 Case Study: Aadhaar ), the law recognizes the risk that people might not be able to produce evidence that they hold a credential and forbids discrimination against those who do not authenticate. However, what matters is whether refusal is respected in practice.

Even if laws only permit the use of digital credentials as a convenience, there is a risk that no alternative means of access to services are provided. This leads to exclusion.

It should not be possible to refuse service to a person based on their refusal or inability to provide a digital credential. This is aligned with such principles as not revealing when assistive technologies are in use or non-retaliation .

A better understanding of why sites seek to obtain and use identity is necessary. While the universality of a generic solution is appealing, each use case could depend on providing different sorts of information. [... need to have more on use cases information, as discussed in here ...] 3. Uses for Identity Information .

Each use case might require a different type of solution. Different solutions can have dramatically different privacy characteristics.

For example, a The properties of different approaches need to be understood and matched to needs. A possible data minimization approach might favor the choose to use of selective disclosure, so that people can choose what is disclosed to disclose, either accepting sites. Such a system can accept the linkability risks or regarding those on the basis of the need for identifying information. Such a system might instead avoid identifying information, but rely on linkability as critical an essential feature, because it might be used to ensuring that trace bad actors can be traced if when necessary. These are very different reasons to use the same technique, with dramatically different privacy and control characteristics.

In contrast, a A system that seeks to authorize based on certain traits — such as a system to authorize access to online gambling, something that might be restricted by age or past history of susceptibility — might be best suited to a zero-knowledge system that provides strong unlinkability.

This highlights that there is no single approach that will work in all cases. For a web API, like digital credentials, this is challenging, because such APIs need to serve a range of purposes. However, this highlights that it is unlikely to be clear to the people who need to authorize use of their credentials whether the system they are participating in has adequate safeguards for the situation.

Developing a better understanding of what is appropriate for a given situation will take time. Developing the necessary understanding of different uses of new technology — and then evolving norms to handle those situations — is not something that can be rushed. Deployment is .

The TAG supports the work on digital credentials. And we also encourage the groups working in this space to consider all the risks associated with these technologies with open eyes, and to develop mitigations where possible. We encourage threat modelling to understand how these technologies can be misused and potentially lead to unintended and negative societal consequences.

In the Ethical Web Principles , we called for putting "internationally recognized human rights at the core of the web platform". We can think of no area of current work where this is more important.