Senate expert meeting on Digital Government Bill
A highly critical expert meeting took place in the Senate this week on a relatively complex but important topic: the new Digital Government Act.
Among other things, this law will replace the outdated DigiD with new digital eID means for citizens to log in to the government and arrange things. However, there are a number of privacy risks associated with the current design of the new law and its infrastructure. The Senate had therefore invited Privacy First to submit a position paper and be a speaker on this occasion. Click here for the full programme, all speakers and position papers.
Input Privacy First
The Privacy First Foundation has a number of critical comments on the WCO. Citizens should have, and will continue to have, the right at all times to communicate or conduct business with the government by non-digital means, whether by telephone, on paper or in person. For large groups in society, this is and will remain crucial for their social participation. Moreover, the 'traditional' analogue space often offers better privacy protection than the digital domain.
Avoid centralised eID proof
With a centralised infrastructure, eID companies providing the certificates (keys) can see exactly where people are logging in. In addition, certificates (digital signatures) for signing documents and there is a risk that companies can know exactly which documents people are signing. This leads to numerous privacy risks, especially where privacy-sensitive transactions (and therefore sensitive personal data) are involved. What is the business model of these companies? And what can they do with all this data, including through platforms like Facebook and Google? This argues for a decentralised rather than centralised architecture with data minimisation and privacy by design.
Where is the attribute system?
This brings us to a topical issue of interest in this law, namely the introduction of an attribute-based system alongside the eID system. Does the current Wdo provide more control over the masking of personal identification data and protect citizens' privacy? Our answer is no. In 2017, we were closer to that than now. The Wdo has had a long run-up and has narrowed from an elaboration of an infrastructure for digital government services to a "Login Means Act". In 2017, the aim was still partly to arrive at a framework law for an attribute-based system. The earlier version of the law therefore still clearly distinguished between identification/authentication services on the one hand and attribute services on the other. The definition was once: "The attribute service is a party that, for the purpose of electronic service provision, makes a statement about certain characteristics or data of a natural person (e.g. age or occupation) or a legal entity (e.g. licensed business)."
Also, this service could be provided either by a government organisation or a private party and something had to be arranged for recognition. The Explanatory Memorandum: "Technical and organisational requirements will be imposed on attribute services in implementing regulations to be adopted on the basis of this bill, and an accreditation system will be provided, in a manner similar to authentication services. Currently, no public and private attribute services are operational yet, but with the expansion of digital services, the need for electronic support of this function will also increase. These attribute services can be public or private. An example could be a generic attribute service enabling age verification based on the basic registration of persons. So far, where necessary, public service providers perform age verification themselves using their own customer records (which are generally derived from the BRP). The bill contains a basis for setting technical and organisational requirements for public and private attribute services. Whether there is a need for public attribute services in the future is still under investigation."
The realisation of that future and need now seems to be blocked. While that need is now there especially among municipalities. They too were still convinced in 2017 that you did not need to identify someone to participate in, say, an online poll. However, the current Wdo does not support that. After all, the definition of attribute service has been removed from the Act and under Art. 12 Wdo, the ministerial power of designation is limited to designating an attribute that, in the Minister's opinion, is important for the identification of companies or legal persons.
The idea that attributes/attributes play an important role in reducing the online identification drive of public organisations has been lost altogether. In terms of privacy and data minimisation, this is a big miss. After all, it is often sufficient for me to demonstrate what I am (resident of Amsterdam) instead of who I am based on my BSN. The current slimmed-down Wdo lacks the legal framework for this. Everything is focused on authentication and providing person identification data. This while the law previously did allow for access to digital services with attributes. Incidentally, a current example of this is IRMA, which won the very first Dutch Privacy Award in early 2018.
This law is thus a missed opportunity to serve as a complement to the eIDAS regulation and establish an attribute-based privacy-centric eID system in the Netherlands. On the contrary, with a range of regulations, this law actually creates high barriers for private parties (including foundations) to have good, privacy-friendly means and facilities recognised and offered to citizens.
Privacy First regrets this and hopes the Senate will still be able to make positive changes to this.
Avoid centralised eID proof
Central rather than decentralised infrastructure set-up. In general, a centralised setup is riskier and more insecure than a decentralised architecture. A decentralised set-up is also more in line with modern privacy requirements such as data minimisation and privacy by design. Moreover, this lends itself less well to large-scale hacks or covert access, massive data breaches and function creep, or creeping goal shift. Not for nothing has there been a development from centralised to decentralised infrastructures in various sensitive areas in recent years, for instance in the field of biometrics and in the medical world. Even in the case of extremely sensitive personal data like the BSN and all kinds of sensitive transactions between citizens, companies and governments, a decentralised set-up should be the preferred choice. This would also be more in line with the idea of informational self-determination and the Ministry of the Interior's own slogan 'Control of data'.
Where is the attribute system?
In this context, it is a missed opportunity that, to date, the legal framework is insufficiently based on a system that works on the basis of minimal attributes (i.e. relevant characteristics) of individuals instead of full identification that processes much more personal data than is strictly necessary. A current example of such a privacy-friendly alternative is IRMA (I Reveal My Attributes), which won the very first Dutch Privacy Award on 28 January 2018, the European Privacy Day. From municipalities, and perhaps other governments, there also seems to be an increasing need for this. Why is this not legally facilitated until now?
Work Open Source
Another aspect is that eID means open source should be. After all, that is the most effective way to keep out untrustworthy parties and ensure security and privacy. Open source should therefore be added as a hard requirement for the authorisation of eID resources.
We would also like to reiterate here that the eID system as currently envisaged in the Digital Government Act will, by definition, create huge risks to citizens' privacy, given the commercial nature of new eID providers, including tech companies with dubious business models and shadowy profiling practices. These risks do not yet seem to have been addressed in this legislative process. This should still be done in a democratic and future-proof manner at the level of the parliamentary law itself and not in lower, administrative regulations.
During the meeting, numerous critical questions were asked by the MPs. Partly as a result of this meeting, the Senate plans to postpone further consideration of the Digital Government Act until after the summer.