Preventing Abuse of Digital Credentials

APIs that facilitate access to verifiable claims about identity, such as the proposed Digital Credentials API, are starting to be developed and deployed. A large number of jurisdictions are starting to create digital identity systems for their citizens. The Federated Identity Working Group includes an API for accessing these systems as a chartered deliverable.

Digital identity APIs provide a convenient way for websites to access proof of legal identity. This convenience leads to a range of implications for privacy, as noted in a recent objection to the formation of the Federated Identity Working Group [OBJECTION].

The TAG believes that the addition of government-issued digital credentials to the web has great potential to cause the harms listed in the objection:

• Increased sharing of personal data and corresponding reduction of privacy due to reduced friction for sharing such data.
• Increased centralization of trust on the Web.
• Increased restriction of the ability to publish, view, and participate on the Web, and corresponding fragmentation of the Web as a whole.
• Reduction of user agency and perpetuation of existing societal power imbalances.
• Expansion of use cases such as age verification where credentials may be requested or required inappropriately or coercively, raising concerns about government or platform overreach.

The report produced by the W3C Council [COUNCIL-REPORT] also acknowledged these problems and recommended that these concerns be addressed in the work of the Working Group.

The TAG believes that the addition of government-issued digital credentials to the web has great potential for harm.

The benefits of digital credentials must be aligned with the web user's needs. Following our established principles for privacy, this includes providing people the tools to understand and control how their personal information is collected and used. A browser — or user agent — plays an essential role in mediating these types of requests and ensuring that people have agency.

The web should not become a platform that demands your government-issued identity documents, in the course of its normal operation. Use of such credentials should be exceptional, only when required, and always on a person's own terms.

The TAG therefore encourages contributors to pay special attention to the societal impact of digital credentials.

There are multiple reasons that a site might seek to ask for proof of legal identity. Often, there are multiple reasons that a site seeks to identify a visitor.

Motivations that tend to produce user-beneficial outcomes include:

• Obtaining some means of holding a person accountable for a range of abusive behavior.
• Avoiding impersonation, especially for social media accounts of prominent individuals or organizations.
• Legal mandates, such as know-your-customer regulations common to financial services.

These uses are not necessarily directly felt by people who are required to present credentials, but they can provide a societal benefit that outweighs the costs to individuals. Each of these still carries the potential for abuse.

There are also motivations for which requesting identification is not justified and those that are outright harmful to end user interests:

• Distinguishing between visits from real people and visits from bots, which might need to be handled specially.
• Personalization, such as being able to appear more friendly by greeting a person by their name.
• Tracking, which takes identity presented to multiple contexts and links that activity to a single person.

That is, while at least some of these goals are beneficial, the use of identity documents is not appropriate. Any benefits are not justified by the cost that people pay in terms of losing their ability to control the identity they present [PRIVACY-PRINCIPLES]. Other goals are inherently objectionable.

Once someone has provided legal identity, sites are technically able to use identifiers in any way they choose. Technical privacy protections that might be implemented in a browser cannot help. Legal protections might apply to misuse of identifying information, but that depends on effective detection and enforcement.

Tracking practices are moving away from largely hidden mechanisms — like cookies — to systems that require the use of stable identifiers. Once identifying information is provided, sites might then assume that they have consent to use identifiers for a range of purposes. Of course, without a viable alternative, any consent to use identifiers is a fiction.

Perhaps the most serious consequence of obtaining an identifier is that sites are then able to trade information across any contexts where a person has provided that same identifier, online or offline. The resulting profiles are then used for many purposes including advertising, credit ratings, and market analysis.

The TAG regards unsanctioned tracking as unacceptable and has advocated for technical measures that curtail these practices. The TAG has also unequivocally condemned cross-site cookies and called for browsers to disable them.

Technical measures to prevent tracking are consistent with the TAG's documented principles for privacy. These principles articulate why privacy is essential to maintaining personal autonomy. The same high-level principles are shared by the many jurisdictions that have implemented data protection legislation. The goal of data protection is to protect a person's rights over how data about them is used.

Absent the ability to request legal identity, sites might ask for other identifiers, like an email address, credit card, mailing address, or phone number. Those identifiers could offer more privacy options, to varying degrees. For instance, email services can provide temporary or site-specific aliases to enable the creation of context-specific addresses on demand. Similar aliasing is achievable for other types of identifiers that are in common use, though it can be both significantly harder and more expensive. No such flexibility is possible when it comes to legal identity.

A streamlined process for providing verifiable identity reduces the cost of requesting and providing that information. In turn, this will make sites that would otherwise not ask for information choose to take advantage of reduced friction to make a request.

Though increasing friction might not be worthwhile, other mechanisms might be used to disincentivise requests for legal identity. A method that might alter the costs for site operators is described in 7.1 Authorizing Sites.

Normalizing the practice of providing identity credentials to websites risks serious harm. Providing any form of external identity information needs to be an exceptional process.

For example, it is entirely inappropriate to use government-issued credentials as a login credential, even if credentials are used during account creation.

Online services that have real-name policies are justifiably controversial. The use of legal identity provides very different social dynamics when compared with pseudonymous or anonymous systems.

Insistence on use of legal identity inevitably excludes certain people, which can be for a range of reasons:

• Sites that only recognize credentials from local authorities could unjustly exclude people from out of town, either temporarily or permanently.
• People might wish to remain anonymous for any reason, including fear of harm to their reputation or person.
• People might temporarily lose access to credentials because of a lost personal device or temporary disability.
• People might be completely unable to obtain or use credentials.
• Systems that include the ability to revoke credentials can be abused by attackers to forcibly exclude people.

In some cases, such as Aadhaar (5.1 Case Study: Aadhaar), the law recognizes the risk that people might not be able to produce evidence that they hold a credential and forbids discrimination against those who do not authenticate. However, what matters is whether refusal is respected in practice.

Even if laws only permit the use of digital credentials as a convenience, there is a risk that no alternative means of access to services are provided. This leads to exclusion.

It should not be possible to refuse service to a person based on their refusal or inability to provide a digital credential. This is aligned with such principles as not revealing when assistive technologies are in use or non-retaliation.

A better understanding of why sites seek to obtain and use identity is necessary. While the universality of a generic solution is appealing, each use case could depend on providing different sorts of information, as discussed in 3. Uses for Identity Information.

Each use case might require a different type of solution. Different solutions can have dramatically different privacy characteristics.

The properties of different approaches need to be understood and matched to needs. A possible data minimization approach might choose to use selective disclosure, so that people can choose what is disclosed to sites. Such a system can accept the linkability risks on the basis of the need for identifying information. Such a system might instead avoid identifying information, but rely on linkability as an essential feature, because it might be used to trace bad actors when necessary. These are very different reasons to use the same technique, with dramatically different privacy and control characteristics.

A system that seeks to authorize based on certain traits — such as a system to authorize access to online gambling, something that might be restricted by age or past history of susceptibility — might be best suited to a zero-knowledge system that provides strong unlinkability.

This highlights that there is no single approach that will work in all cases. For a web API, like digital credentials, this is challenging, because such APIs need to serve a range of purposes. However, this highlights that it is unlikely to be clear to the people who need to authorize use of their credentials whether the system they are participating in has adequate safeguards for the situation.

Developing a better understanding of what is appropriate for a given situation will take time. Developing the necessary understanding of different uses of new technology — and then evolving norms to handle those situations — is not something that can be rushed. Deployment is.

The TAG supports the work on digital credentials. And we also encourage the groups working in this space to consider all the risks associated with these technologies with open eyes, and to develop mitigations where possible. We encourage threat modelling to understand how these technologies can be misused and potentially lead to unintended and negative societal consequences.

In the Ethical Web Principles, we called for putting "internationally recognized human rights at the core of the web platform". We can think of no area of current work where this is more important.