Matrix of Digital Identity
I just watched the original Matrix trilogy with my kids, before the latest movie will be released. After 20 something years the story was still good and obviously has stood the test of time as it was clearly amusing also to the next generation. For me, it raised new thoughts reflected by the development of technology during the twenty years that has passed from 1999 when the movie had its premiere.
For the last couple of years, we seem to have been living in the real-life dystopian movie about pandemic spreading in the world. Similarly, when watching the Matrix saga, I couldn’t stop thinking how visionary it has at that time been! Surely the internet at that time was already born but the communication and interaction were still very simple – indeed, the messages in the movie are sent in the ancient Unix environment. Yet, the virtual reality called Matrix in the movie is so futuristic that it enables people to jump in and live their lives virtually wherever they want. Sounds familiar?
In fact, shortly after the first Matrix was released in 1999, Finnish company called Sulake Oy launched their online community called Habbo Hotel. I’ve never used this virtual hotel concept myself, but I know that the idea was that you could travel in these virtual hotels in a form of a virtual character you chose to be. Later, I followed my kids play in similar kind of virtual worlds, such as MovieStarPlanet and Minecraft where you could create “avatar” of yourself. There was also another big movie based on the idea, called Avatar. The idea in all these is to experience the virtual world via the created characters, which the actual player is controlling, or as in Avatar, is plugged into them.
The aforementioned virtual worlds, however, differ from that of the Matrix in that the character – or Avatar – in the virtual world represents something else than the real person behind the scenes. Therefore, the Matrix was pioneer in that it foresaw our future where people themselves interact in a virtual world, being themselves and not anything else (well, of course there are those bad guys who can transform their identities like a chameleon). What I´m talking about is Digital Identity.
Digital Identity
On 3rd of June 2021, the European Commission provided a framework for a European Digital Identity available to all EU citizens, residents and business in the EU.[1] Under the new Regulation, Member States will offer citizens digital identity wallets, by which their citizens will be able to prove their identity and share electronic documents with the click of a button on their mobile phone. They will be able to access online services with their national digital identification, which will be recognised throughout Europe. Naturally, the interoperability is desirable to reach also at the global level.
The idea of digital identity has been evolving for a few decades now, from centralized identities to federated identities and from user-centric identities to so called self-sovereign identities (SSI).[2] The first federated identity initiative was Microsoft’s Passport, released at the same time as the original Matrix move, in 1999. It aimed to become internet-wide unified-login system but it failed in this, and it is currently re-branded as Microsoft Account and used only to log-in to Microsoft’s services. However, Facebook and Google succeeded in what Microsoft didn’t, in creating their own federal identities which enable users to log-in to also other web sites using their Facebook credentials or gmail account. It might seem beneficial for an individual user to not have many separate credentials to remember, but spreading their profile information outside the Facebook raises privacy concerns.
Data sovereignty
Indeed, in the data-driven world the personal data provided in social platforms and beyond has become a valuable asset to companies behind these platforms as well as their commercial partners. But the data shared online is also subject to potential misuse and in worst case, to identity theft. The European Digital Identity Wallet converts data economy to personal data economy where users are in control of their own data (”MyData”). The Digital Identity wallets will enable people to choose which aspects of their identity, data and certificates they share with third parties, and to keep track of such sharing. User control ensures that only information that needs to be shared will be shared.
In future we will have only one digital identity, capable of being used in wide range of occasions. However, even if it is called digital identity, it is not necessary in all situations to reveal our identity as such but only the attributes required in respective situation. For example, when buying alcohol or renting a movie with age restriction, it is in future sufficient to prove that you are of minimum age (without revealing your exact age, not to mention your birth date) and thus your eligibility for the transaction. The said does not apply only in the online world but also in real-world retail stores where you no longer need to show your whole ID with name and social security number but only to attest that you are old enough. Similarly, when renting a car, you don’t need to show your driver’s license with all the personal information about you but to only provide proof that you have a valid driver’s license. This will be in future done easily with your digital identity wallet. Indeed, the digital identity wallet will be containing all the cards and licenses you currently possess as physical copies. Later, as the name suggests, the wallet will also contain digital currency, in a form of digital euro.[3]
“What’s law got to do with it”?
A famous quote from Matrix follows: “I’m going to show them a world without you. A world without rules and controls, without borders or boundaries. A world where anything is possible.” This is yet another difference between the ”real” digital identity and that of the Matrix’ world. While in Matrix anything was possible and nearly nothing prohibited, in the real world the concept and use of digital identity is very regulated area. I discussed the ”complex of laws” in a context of digitalization in my first article of this trilogy of law-tech articles of mine.[4] The viewpoint, however, was wider than just digital identity. The most relevant regulation concerning digital identity is the eIDAS Regulation.[5] It sets standards and criteria for electronic signatures, qualified certificates and online trust services. As such, the eIDAS regulation provides security that is equivalent to physical presence. In a way it acts as a police authority of the virtual world, preventing the digital identites becoming attacked.
Naturally, the digital identity wallet solutions also need to address the requirements of GDPR. Even if the users are in control of their data, any technological solutions chosen for the national identity wallet need to implement secure ways to exchange data attributes from the wallet to the service provider, all the way from the registration to the use of the wallet so that users’ data is always safe.
Towards data sovereign Europe
In addition to legal regulations, technical standards are needed in order to ensure interoperability between different national identity wallets. Accordingly, in parallel to the legislative process, the EU commission’s proposal for a European Digital Identity framework was accompanied with their Recommendation on a common union toolbox for a coordinated approach towards the framework.[6] This work is done in eIDAS Expert Group consisting of members assigned by member states and the publication of the toolbox is scheduled to take place by the Commission by 30th of October 2022.
Development of national identity wallets is ongoing and in some countries the national solution has already been chosen and implemented. The situation is awkward in that the eIDAS toolbox work is supposed to define the necessary protocols and standards for the national identity wallets, in order for them to be compatible with each others – however, the work has not been completed, yet. This means that national solutions under development need to hit a moving target. Therefore, many countries have joined their forces and formed mutual or multilateral co-operation groups to jointly explore and drive the development or to exchange information and their best practices in the area of digital identity. For example, a joint digital identity working group of Finland and Germany aims to design and conceptualise a pilot project involving the use of a digital wallet in cross-border services. The results would help create a common European technical architecture and common standards.[7]
Thierry Breton, the Commissioner for the Internal market, wrote on July 27th 2021 how in the new geopolitical order, Europe should act like a strategist rather than just a market. “We have entered a global race in which the mastery of technologies is central. It is largely thanks to disruptive technologies that Europe will be able to embark fully on its twin green and digital transition, while guaranteeing its resilience and autonomy.”[8] In other words, by investing in disruptive technologies that have been created in Europe, we would ensure Europe’s autonomy and sovereignty, and when it is a question of European Digital Identity Wallet, Europe’s data sovereignty. However, Breton continues: “Team Europe is playing for its fellow citizens, but it is also playing for Team World.
It is imperative that EU Member States play this game together. But it is equally important in the individual member states to engage in co-operation among and between public and private sector, to get the best practices and technologies into use. This ought not to be done only to win the global race but to build a better and more secure future where data is not anymore the new gold – or if it is, then creating value for the person whose data it is. It’s time to take back control of our own data!
Writer: Anne-Mari Lummevuo, Doctor of Laws and IP & Tech Lawyer – interested in exploring intersections of business, law and technology
[1] https://ec.europa.eu/commission/presscorner/detail/en/IP_21_2663
[2] http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html
[3] https://www.ecb.europa.eu/paym/digital_euro/html/index.en.html
[4] https://iprinfo.fi/artikkeli/when-law-meets-the-digital-world/
[5] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG, proposal: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2021%3A281%3AFIN&qid=1622704576563
[6] https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-recommendation
[7] https://vm.fi/en/-/finland-and-germany-intensify-cooperation-to-promote-digital-identification
[8] https://ec.europa.eu/commission/commissioners/2019-2024/breton/announcements/geopolitics-technology_en
