Private Digital Authentication in the Physical World
How can we use digital identity for authentication in the physical world without compromising user privacy? This central question is an underlying concern for further groundbreaking developments in ubiquitous computing scenarios: enabling individuals to – for example – use public transport and other payment/ticketing applications, access computing resources on public terminals, or even cross country borders without carrying any form of physical identity document or trusted mobile device. Moving towards such a device-free infrastructure-based authentication could be easily facilitated by centralized databases with full biometric records of all individuals, authenticating and therefore tracking people in all their interactions in the digital and physical worlds. However, such centralized tracking is not compatible with fundamental human rights to data privacy. We therefore propose a fully decentralized approach to digital user authentication in the physical world, giving each individual better control over their digital and physical world interactions and data traces they leave.
In project Digidow, we will associate each individual in the physical world with a personal agent in the digital world, facilitating their interactions with purely digital or digitally mediated services in both worlds. This proposal has two major issues to overcome. The first is a problem of massive scale, moving from current users of digital identity to the whole global population as the potential target group. The second is even more fundamental: by moving from trusted physical devices and centralized databases to a fully decentralized and infrastructure-based approach, we remove the currently essential elements of trust. We will solve these issues based on a fundamental model for private tracking of user location and behavior, implement it in personal agents with a complete chain of trust over multiple parties, and build yearly prototypes for benchmark use cases like border control.
An introductory talk of the general issue and the proposed architecture has recently been given at TEDxLinz and is now online on the YouTube channel.
For contact tracing apps aiming to support society to deal with the current SARS-CoV-2 / Covid-19 pandemic, we only endorse privacy respecting designs that collect and use data in a decentralized manner, in line with our general approach to decentralizing digital identity in project Digidow. Centralized approaches to managing (pseudo-) identities and matching contact data pose too great a risk of becoming tools of mass surveillance and control far beyond dealing with the current crisis. Therefore, we fully support the Joint Statement on Contact Tracing and the approaches, protocols, and prototype implementations listed in it.
“Particularly for us – as IT service provider for the financial industry – secure digital authentication is a necessary requirement for future digitalization of banking processes. Hence, our participation in this project is of geat importance to us.”
(Karl Stöbich, Managing Director, 3 Banken IT)
“By supporting the CDL Digidow project we will not only leverage new technologies for convenient and secure user centric solutions, but also prepare for the challenges that come with account based and cloud identification based systems. In an increasingly connected world, we are committed to ensuring that upcoming technologies are used in a simple, secure and reliable way.”
(Paul Hubmer, CTO, NXP Semiconductors Austria)