Preventing Abuse of Digital Identities

APIs that facilitate access to verifiable claims about identity, such as the proposed Digital Credentials API, are starting to be developed and deployed. National digital identity systems are being legislated in a large number of jurisdictions. The Federated Identity Working Group includes this API as a chartered deliverable.

These APIs represent a convenient way to access proof of legal identity, backed by large-scale government projects in multiple jurisdictions. This convenience leads to a range of implications for privacy, as noted in a recent objection to the formation of the Federated Identity Working Group.

A number of serious concerns were raised in this objection:

• Increased sharing of personal data and corresponding reduction of privacy due to reduced friction for sharing such data.
• Increased centralization of trust on the Web.
• Increased restriction of the ability to publish, view, and participate on the Web, and corresponding fragmentation of the Web as a whole.
• Reduction of user agency and perpetuation of existing societal power imbalances.
• Expansion of use cases such as age verification where credentials may be requested or required inappropriately or coercively, raising concerns about government or platform overreach.

A W3C Council (which included members of the TAG) found these concerns to be serious and valid. Despite this, the working group was allowed to form, though the council report included a recommendation that the group seriously consider these factors as they develop the API.

The TAG believes that the addition of government-issued digital credentials to the web has great potential for harm.

The benefits of digital credentials must be aligned with the web user's needs. Following our established principles for privacy, this includes providing people the tools to understand and control how their personal information is collected and used. A browser — or user agent — plays an essential role in mediating these types of requests and ensuring that people have agency.

The web should not become a platform that demands your government-issued identity documents, in the course of its normal operation. Use of such credentials should be exceptional, only when required, and always on a person's own terms.

The TAG therefore encourages contributors to pay special attention to the societal impact of digital credentials.

Before examining the harms, it is important to understand why sites seek identity information from visitors. There are multiple reasons that a site might seek to ask for proof of legal identity. Motivations include:

• Legal mandates, such as know-your-customer regulations common to financial services.
• Distinguishing between visits from real people and visits from bots, which might need to be handled specially.
• Obtaining some means of holding a person accountable for a range of abusive behavior.
• Avoiding impersonation, especially for social media accounts of prominent individuals or organizations.
• Personalization, such as being able to appear more friendly by greeting a person by their name.

This list is far from exhaustive. Often, there are multiple reasons that a site seeks to identify a visitor.

Once someone has provided an identifier, sites are technically able to use identifiers in any way they choose. Technical privacy protections that might be implemented in a browser cannot help. Legal protections might apply to misuse of identifying information, but that depends on effective detection and enforcement.

Perhaps the most serious consequence of obtaining an identifier is that sites are then able to trade information across any site where a person has provided that same identifier. This enables tracking, a form of surveillance, where people their activities across multiple contexts, both on- and off-line, gathered into profiles. These profiles are then used for many purposes including advertising, credit ratings, and market analysis.

For all its benefits, one of the most shameful aspects of the web is how it has allowed sites to surveil people. Sites take what they learn about the people that visit them and treat that information as a commodity to be sold or exchanged.

The TAG has long regarded unsanctioned tracking as unacceptable and has advocated for technical measures that curtail these practices. Notably, the TAG unequivocally condemned cross-site cookies and called for browsers to disable them. Positive trends from browsers in recent years include a range of other technical measures, including reductions in fingerprinting, state partitioning, and navigation tracking mitigations.

These technical measures are consistent with the TAG's documented principles for privacy. These principles articulate why privacy is essential to maintaining personal autonomy. The same high-level principles are shared by the many jurisdictions that have implemented data protection legislation. The goal of data protection is to protect a person's rights over how data about them is used.

In part due to these protections, tracking practices are moving away from largely hidden mechanisms — like cookies — to human interactions based on consent. That is, sites ask people to identify themselves. Once identifying information is provided, sites might then assume that they have consent to use that information for a range of purposes.

Identity information might be provided as an email address or phone number. However, more sites also seek to obtain legal names or other identifying information. Unauthenticated systems might offer people the ability to choose how they wish to be identified. For instance, email services that provide temporary or site-specific aliases offer a way to create wholly-new or site-specific identities on demand. The same flexibility is not an option when providing a legal identity.

Tracking with identity allows online activities to be linked to offline activity. The result can be a comprehensive record of everything a person does: places they go, what sites they visit, what they say, who they are friends with, and more.

A streamlined process for providing verifiable identity reduces the cost of requesting and providing that information. In turn, this might make sites that would otherwise not ask for information choose to take advantage of reduced friction to make a request.

Centralisation of trust can lead to a fragmented web, where access depends on which authorities a site or user is willing, or able, to work with.

This risks excluding marginalized people. For example, a visitor, migrant, or refugee may not be able to, or may not feel safe to, use credentials from their country of origin. Especially where major platforms only recognize a narrow set of issuers, or only recognize issuers tied to a specific jurisdiction. The choice of jurisdiction is not often something that a user can choose, but instead one dictated by factors outside of their control. This could undermine the global and open nature of the web.

Online services that have real-name policies are justifiably controversial. These systems have historically resulted in excluding certain people, often due to people having names that systems do not recognize.

A system that relies on a central authority is unlikely to replicate the same failures. New risks of exclusion arise:

• Sites that only recognize credentials from local authorities could unjustly exclude people from out of town, either temporarily or permanently.
• People might temporarily lose access to credentials because of a lost personal device or temporary disability.
• People might be completely unable to obtain or use credentials.
• Systems that include the ability to revoke credentials can be abused by attackers to forcibly exclude people.

In some cases, such as Aadhaar, the law recognizes the risk that people might not be able to produce evidence that they hold a credential and forbids discrimination against those who do not authenticate.

Even if laws only permit the use of digital credentials as a convenience, there is a risk that no alternative means of access to services are provided. This leads to exclusion.

It should not be possible to refuse service to a person based on their refusal or inability to make use of digital credentials. This is aligned with such principles as not revealing when assistive technologies are in use or non-retaliation.

Any credential system therefore needs to carefully consider what might happen if someone is unable to authenticate or they refuse to. This might include things like non-trivial induced failure rates, which could ensure that sites do not come to assume that all users are equally able to produce a credential.

A better understanding of why sites seek to obtain and use identity is necessary. While the universality of a generic solution is appealing, each use case could depend on providing different sorts of information.

[... need to have more on use cases in here ...]

Each use case might require a different type of solution. Different solutions can have dramatically different privacy characteristics.

For example, a data minimization approach might favor the use of selective disclosure, so that people can choose what to disclose, either accepting the linkability risks or regarding those as critical to ensuring that bad actors can be traced if necessary.

In contrast, a system that seeks to authorize based on certain traits — such as a system to authorize access to online gambling, something that might be restricted by age or past history of susceptibility — might be best suited to a zero-knowledge system that provides strong unlinkability.

Despite considerable investment in both technical and legal privacy protections, sites gather more information about people than they have previously. The use of government-issued identity on the web could make that situation worse if sites are able to insist that people present proof of identity.

Normalizing the practice of providing identity credentials to websites risks serious harm. Providing any form of external identity information needs to be an exceptional process.

For example, it is entirely inappropriate to use government-issued credentials as a login credential, even if credentials are used during account creation.

European identity legislation describes a system that has some potential to counteract the worst kinds of abuses that come from overuse of identity credentials. Entities that request EU digital identity will need to show that they are authorized. That authorization will be linked a public record that includes what information each entity can request and how they intend to use it. Implemented correctly, such a system could bring transparency and accountability.

These systems carry risks, as demonstrated by experience with Aadhaar. A system that was designed for use by government — where non-governmental use was deemed an unconstitutional imposition on privacy — is now open to use by private actors. Even before that, there were documented cases of Aadhaar being used to disempower Indian citizens. These systems can provide substantial benefits, in terms of improved access to government services, banking, healthcare and other critical services. However, the resulting harms are not trivially justified by those benefits.