Where next for online identities? Notes from NGI Forum from workshop 1

Workshop held during NGI Forum 2019 (more information). This document contains notes, curated by Edgeryders in the context of the NGI Forward project, but open to the contribution of all.

Moderator is @RobvanKranenburg.

Oskar van Deventer – Self-sovereign identities

Many organizations are administration factories. Every time you interact with them, they ask you for information, which then they process (name, email, phone number).

There is a different way to do it. People have an information wallet, and orgs ask the wallet for exactly the information they need, not more. People can comply, or decline, or even report excessive requests for information. This is a SSI.

This ecosystem consists of issuers, holders, and verifiers of identities. Oskar has a demo based on the story of a patient ordering drugs online. The eSSIF-Lab EU project provides funding for technology development and business applications based on this idea. The first open call is going out in early 2020.

Q: How would the data storage work? Some kind of citizen wallet, but how do you implement it?

A: The concept we are working on lives on issuer DBs, accessed through a phone app.

Q: What prevents service providers from asking for all of the individual’s data, and the person accepts because she needs the service?

A: This is my nightmare. You cross the Chinese or US border, and then some kind of data vacuum cleaner empties your wallet. This might require issuers policy, stating once and for all what can be done with those data. But I do not yet know how to solve it.

Gaëlle le Gars

I want to share with you how the Commission sees this issue now.

There are two major trends that have undesirable consequences. One is social credit scoring. In Europe we are likely to see a “consumer scoring” version of it. Companies share information on you as a consumer, determining whether you are an undesirable customer. Undesirables are ostracized, made to wait for help, unacknowledged. This is illegal, but the infrastructure is there (it is GAFA), so we suspect this is happening.

The other trend is the integration of identification databases across the EU on the grounds of police and justice administration. There is a regulation for interoperability of these DBs across the EU, including a lot of info (like: travel information).

However, there are also two opportunities. One is e-government applications; the other is that this is now a centerpiece of EU policy, so things can happen to defuse these risks.

Q: How does EIDAS play into these scenarios?

A: (Loretta) It is time that you people – not the Smart City crowd, not the IoT crowd – take control of this issue. There is something profoundly human about freedom from surveillance, and identity is political. Speak up, and apply for funding if you have ideas to implement in this space.

[Round of presentations follows]

Maria Rautavirta: Human centric data economy

• Re-using personal data creates new business opportunities
• But people should be included in the decisions about what is done with their data.
• Currently it’s mostly open data that are being exchanged. All other data does not travel much, in sits in data lakes with a big lock at the door.

Finland has come up with Data principles to enable more data exchange. They are human centric, thriving (efficiency gains from exchange) and balanced (divide fairly the benefits of the gains). There are six principles: Access, Share, Act, Innovate, Trust, Learn, all this by default. They are available at https://dataprinciples2019.fi .

Federico Bonelli: wrap up

The problem of identity is central, not only in policy but in philosophy and the arts. It is a complex problem, but there is a core simplicity. In logic, A=A: an entity coincides with itself. When I pass the border between Finland and Russia, a frontier guard looks at my passport, and validates that I am Federico. Data in the passport matter, but maybe it is the validation that matters most. Now we are discussing about other methods of validation, algorithmic. Loretta said that identity is political; and politics, as defined by Aristotle, is definitely not a science, more like a kind of art.

Loretta Anania’s suggestions for wrap up

1. Where is the ecosystem?
2. Oskar’s nightmare scenario: “wallet vacuum cleaners”.
3. Gaëlle’s two risks and two opportunities.
4. The opportunity to build offered by the NGI initiative.

Also ping @hugi!

During this session, I had a sort of epiphany: self-sovereign identities and decentralized governance of personal data are incompatible with monopolies. We agree to anything, when that unlocks a service we need. Imagine you had one of these amazing data wallets, allowing you to authorize which services can access which personal data. Now imagine that your bank, or your keystone social networking service, told you “I want access to all of your data, or else you don’t get an account from me.” What are you going to do? You cannot function in modern society without a bank account (or, some would say, a Facebook account). So you agree. You agree to anything at all. That’s not because of any technological issue. It’s because you have no power.

We have been in a similar situation before. In the early 20th century, for-profit companies operated public utilities like energy, water, rail transport. This happened because of technological reasons: building two aqueducts in the same city is wasteful. The first company that builds an aqueduct can obtain monopoly of water provision in that city, and maintain it forever. This was called a natural monopoly. Today’s “network externalities” provoke a similar effect, and for similar reasons.

This situation led to massive profits, driven by the power imbalance between monopolist providers and users; to the exclusion of less affluent users; and to rent extraction, pushing potentially viable businesses into the red. Europe responded with antitrust legislation, with its array of policy tools: nationalizations, tight regulation by specialized agencies, and direct provision, with public sector actors starting their own water, energy, and transport companies. Municipalism played a major role here: where the state would respond too slowly, or not at all, cities stepped into the breach, at least in some countries (including Italy). It is maybe not a coincidence that the strongest critical voice claiming to reduce the power of business was Francesca Bria’s – Europe’s digital municipalist-in-chief.

It comes down to game theory. If I had the personal data wallet right now, and my bank would refuse to accept it, saying “nah, you have to fill this online form”; or if it did accept it, but only under the condition that they get access to the whole thing… I would consent. What can I do? Now, if the European institutions owned a trusted operator that would accept that data wallet in an equitable way, now I could tell my bank “fair enough, I’ll take my business elsewhere”. This way, the game has a completely different equilibrium.

Conclusion: maybe, in order to get this stuff adopted, you need antitrust policy. Makes sense?

Alberto,

This is amazing, great work! I will work on the input from the participants that I collected next week with Federico and then we integrate your notes in there.

We will publish them here and use that to kickstart a series of discussions on “identity”.

We can also plan en evening in the Festival in Brussels on this topic,

Greetings, Rob

It looks like the US Department of Justice may open an antitrust investigation on Facebook :

I was thinking about how, ultimately, any kind of sanctions against multinational companies providing digital services could be enforced. And looked into examples where there were disputes between companies and states. It seems that if the digital service providers have contracts with states then the obvious choice would be international arbitration. Because apparently international arbitration rulings are much easier to enforce than litigation in national courts.

But apparently this requires them to have signed a contract with a mandatory arbitration clause in it (where both parties have agreed to settle via arbitration in case of a dispute). Which I am guessing that in the EU this hasn’t happened? Just a thought.

Revamping this topic after the DECODE Symposium in Turin. Monopolies and their regulation came up in a very similar way in several talks. One of the panels was called “Big tech in crisis: Policy Responses on Competition and Data Sovereignty”, and at least two people called for ex ante regulation of monopolies, and specifically blocking mergers.

• Tommaso Valletti remarked that “Google bought 270 companies in the past 18 years, and no one is looking into it.”
• Alexey Ivanov had a very nice story of how Russia vetoed Google buying up a local search company in 2008, and that resulted in competition (3 companies) on the search market in Russia to this day.
• @bruces Sterling called Vestager “the only force of law and order in digital, anywhere in the world”.

Ping @RobvanKranenburg and @katjab: something for the Policy Lab blog?