Beeld © Johan Moorman

Scientists caution against new digital identity

Big tech companies and governments are promoting the advent of a new digital identity for everyone. The corona crisis is fast-tracking this agenda. Experts warn against the consequences. ‘This is the end of freedom.’

This article in one minute:
  • The campaign for a corona entry pass and a ‘QR society’ is being led by the ‘digital identity industry’, and it is bearing fruit: the European Commission expects to expand the corona entry pass into a ‘perfect digital wallet’.
  • Brussels is working on an ID system based on blockchain, a technology that is also being promoted in campaigns of big corporations.
  • As the information on a blockchain cannot be deleted, experts fear the creation of a permanent record of movements, actions and transactions of all citizens. They describe a digital identity based on blockchain as ‘more than dystopian’. But both The Hague and Brussels embrace this model because it would ensure that citizens would once again become ‘masters of their own data’.
  • The Netherlands is the forerunner and will be the first European country to pilot a prototype of a digital ID.
Read more

They did not hide their enthusiasm.

A digital test and vaccination certificate ‘will propel the whole digital ID field. This is not just about COVID-19, but about something far bigger,’ Andrew Bud told Forbes business magazine last February. Bud is the founder and managing director of iProov, a London-based company that sells facial recognition technology and developed the British corona app.

The CEO of Simprints, a UK start-up that also develops biometric techniques, called it ‘an opportunity to launch systems of tomorrow’. Thales, the French defence and tech company, wrote in their blog posts that the corona entry pass will serve as a ‘stepping stone for the introduction of a digital ID card’. It asked governments to ‘create a platform for a more ambitious digitisation of identity and health data’.

Almost two years into the pandemic, Europe is now taking the first steps towards much broader use of digital identification systems other than the corona entry pass.

Frenchman Thierry Breton is the European Commissioner (industrial policy and digital internal market) and former director of France Télécom and IT company ATOS, which, among other areas, focuses on payment processing and other areas.

The design of the European Corona app was only a ‘first version of what could develop into an ultimate digital wallet,’ the European Commission told Follow the Money. This development is moving fast, says the spokesperson. ‘We will continue to work on this with the Member States in the coming months.’

The Netherlands plays a leading role in this trend towards a broader digital identity. A European prototype will soon be tested here. It concerns a lucrative market: according to analysts, it will be worth more than $30 billion in 2024 and perhaps as much as $50 billion in 2026 for products and services related to digital identification processes.

Big Tech – think Microsoft, IBM, Mastercard – is therefore prominently represented in the campaign for a global digital ID system. And that same lobby is particularly active with appeals for a corona entry system, tech-scientist Elizabeth Renieris wrote in What’s really at stake with vaccine passports. She is affiliated with the Notre Dame, Harvard and Stanford universities.

From QR to eID

With a digital document or eID, citizens can prove their identity at government offices, banks, and companies through a unique identification code linked to personal data. Name, date of birth and gender, but also biometric data derived from facial recognition systems (information about size and distance between eyes, mouth, nose and ears), iris scans (shape, colour, pattern and texture of the eyes) and fingerprints.

The European Commission sees a method for the ‘unequivocal identification of a person to ensure that the right person is provided with the right service which they are entitled to’.

Supporters of a digital ID often refer to India. The world’s most extensive eID system was launched there in 2009: Aadhaar, a 12-digit identification number needed to buy a house or to access government services, and already used by 1.3 billion people. It is linked to a payment system operated by Mastercard.

System errors are common in Aadhaar

‘This is the most advanced system in the world,’ American Paul Romer, then chief economist of the World Bank, told the media company Bloomberg in 2017. ‘It would be beneficial for the world if this is introduced globally.’

Aadhaar has its shortcomings, critics say. They highlight the case of Mrs Premani Kunwar (64). According to human rights organisations, she died in 2017 after her pension was deposited into the account of her husband’s ex-wife – the ex-wife had been dead for 25 years. She was also denied food due to errors in the food distribution system.

According to human rights activists, system errors are common: due to a bad Internet connection, server or other technical problem, and incorrectly entered data.

There are more harrowing stories.  A reputable lawyer wrote that, according to a mother begging for rice, her 11-year-old daughter died because their family card for the food bank was not linked to Aadhaar. She believes that citizens ‘are being enslaved with a card’.

The controversy dates back years. But the system has not improved, writes Indian anthropologist and bioethicist Sunita Sheel Bandewar in an email to Follow the Money. ‘On the contrary, it has become worse during the pandemic. And marginalised groups suffer the most.’

‘Aadhaar for the entire world’

According to non-profit organisation Privacy International, the World Bank, the Bill and Melinda Gates Foundation, and a large number of companies were all involved in the introduction of Aadhaar in India. It is precisely these organisations that are involved in the corona QR entry pass.

Tech-millionaire Gates has been a fan of Aadhaar for years. ‘The benefits are considerable,’ he said in 2018. ‘I think countries should adopt this approach because the quality of the policy correlates greatly with how fast their economy can grow.’ The Bill and Melinda Gates Foundation funds several Aadhaar-like projects, Gates said at the time. ‘We are sponsoring the World Bank to bring the Aadhaar approach to other countries.’

Aadhaar architect Nilekani is now an advisor to ID4D, a World Bank project funded by Gates, three governments and the Omidyar Network, a ‘philanthropic investment company’ of eBay founder Pierre Omidyar.

When the World Health Organisation (WHO) launched its long-awaited guideline for the introduction of the ‘corona certificates’ in August 2021, it explicitly thanked thirteen World Bank staff members for their advice. No other organisation had so much influence on the report.

​Incidentally, the realisation of the directive’s proposal was co-financed by the Bill and Melinda Gates Foundation. While the WHO emphasised that this foundation had no influence on the content, its ideology indirectly filters through to the public via the World Bank. The WHO also helped the European Commission create the Green Certificate, the European corona QR certificate.

The World Bank did not respond to questions from Follow the Money.

Read more Fold in

Nigeria also serves as proof that the introduction of a digital identity document can have major consequences. In August, news agency Reuters wrote that in that country, an eID has become mandatory to ‘open a bank account, apply for a driving licence, vote and submit tax returns’.

‘The end of freedom’

Despite concerns from privacy watchdogs, both governments and companies are steadily working on introducing a digital ID – containing a lot of personal information – for as many people as possible.

And for many purposes. Taking out a loan, checking creditworthiness? Information about education or career? It can all be linked to the digital ID. Information about your behaviour on social media? Ditto.

‘Identity is utterly fundamental,’ says Bart Jacobs, professor of privacy and identity at Radboud University. ‘Passports have been organised quite well, physically speaking, but not yet online. Large corporations have been trying for years to achieve a standardisation that suits them, and now they figured: let’s hitch a ride on the pandemic and come up with a solution that puts us in control. You can see where this is heading.’

‘A surveillance state could emerge, in which everything will be stored in order to steer people in various ways, both politically and commercially’

​According to Jacobs, if major parties have their way, ‘a surveillance state could emerge in which everything will be stored in order to steer people in various ways, both politically and commercially’.

The usually cautious Jacobs says that if politicians make the wrong choices now, he fears ‘the end of freedom as we know it’. Behind the campaign for digital data collection, there is ‘a surveillance agenda which we must oppose,’ he says.

SSI: ‘owning your own data’ or a Big Tech shindig?

In business and government alike, there is great enthusiasm for the principle of self-sovereign identity (SSI) - ‘owning one’s own data’, so that everyone decides for themselves when and what information is shared with third parties. At the pub, you only give the following snippet of information: ‘I am at least eighteen years old.’ At the mortgage lender, also something about your creditworthiness.

Microsoft boasts the slogan Own your digital identity. IBM speaks of ‘a lifelong, portable identity that is not dependent on a central authority and can never be taken away from you’.

Both Microsoft and IBM have opted for the self-sovereign identity principle based on blockchain technology. In this process, an administration – in this case of identity data – is carried out on various computers. The system regulates itself using a protocol. Notaries are no longer needed, and neither are central authorities. Thus, the system should be 100 percent reliable and also extremely resistant to hacking attempts.

‘Many companies invoke SSI, but it is a buzzword,’ says professor Bart Jacobs. He was one of the founders of the privacy-friendly authentication app IRMA, which also uses SSI.

Harvard professor Elizabeth Renieris is definitely not convinced by the concept. ‘It sounds like a way to give consumers more power, especially at a time when we are feeling more helpless than usual. But tech companies would like nothing better than for you to own your own data,’ she wrote in an opinion article in the online magazine Slate.

‘Companies would like nothing better than fo ryou to own your oww data – because whoever owns their data can also sell it’

Because whoever owns their data can also sell it. Amazon gave people a 25-dollar voucher in exchange for a 3D body scan, Facebook offered five euros for voice messages. Citizens are not helped at all by a self-sovereign identity, Renieris argues. She wants to see identity as a universal fundamental right that, by definition, cannot be capitalised upon.

Jacobs remains in favour, but the one SSI is not the same as the other, he says. In his view, the difference is so essential that he wrote Raymond Knops, the State Secretary of the Interior, an urgent letter in 2019 warning him not to choose the wrong system: ‘My aim with this letter is to invite you to make the political choice for a decentralised architecture, and not, as you have announced, to use unnecessary legislative amendments to create even more room for a centralised architecture.’

The difference between a centralised and a decentralised architecture is that in the first, personal data is collected and stored by one party – a government, a corporation. In a decentralised architecture, this does not happen. But the devil is in the details, he says. ‘Even if organisations are keen on SSI data or a “decentralised” model, the reality in practice can be different.’

Jacobs refers to Datakeeper, an app for a digital safe that originated at the Rabobank. ‘With Datakeeper, we give you back control. Only you decide with whom and when you share your data,’ it says on Datakeeper’s website – in other words, the ultimate self-sovereign identity. But, Jacobs says, if you ask them about the revenue model, ‘it appears that they still want to keep central records of who logs in where. As far as I am concerned, that is where they fail.’

​​Datakeeper staff held a presentation at an IRMA meeting. One of them said: ‘The verifier will be paying for the data shortly. [..] That is going to be the business model.’ In a reaction, Datakeeper said it is still working on ‘the most appropriate payment model’.

Read more Fold in

Harvard scientist Elizabeth Renieris compares the current situation to the attack on the Twin Towers, a tragedy that was seized upon to implement far-reaching measures. ‘If 9/11 brought us into an era of mass surveillance, the pandemic has the potential to bring about an ID scramble, the introduction of the era of ubiquitous identification and the end of anonymity.’

Director Vincent Böhre of the Privacy First Foundation notes that ‘the end of anonymity would be a disaster’ for journalists or activists. ‘This could lead to life-threatening situations, especially in certain regions.’

Böhre: ‘Every citizen should be able to walk around in public, go shopping and express their opinion anonymously. Otherwise, you get a chilling effect, a subconscious psychological feeling that occurs when people feel they are being watched and when they can no longer freely and anonymously conduct transactions, go to bars and restaurants, or travel.’

The Hague embraces the SSI model

The Dutch government also favours self-sovereign identity (SSI), the principle that citizens should own their own data, as described earlier. ‘People are given control over their own data instead of the government controlling it,’ IDee magazine wrote, an online magazine of the Ministry of the Interior and Kingdom Relations dedicated to the theme of digital identity.

‘People, and the trust in people, are key,’ André de Kok, a researcher at the Dutch National Office for Identity Data (RvIg), said in the article. Citizens can choose which information they share when, and which information they want to withhold.

De Kok: ‘Suppose that when you buy a bottle of whisky you want to prove that you are eighteen years or older, it is not necessary to give the seller your exact age and Citizen Service Number. Instead of a document with privacy-sensitive information, you only share information that is relevant at that moment: yes, I am eighteen years of age or older.’

Read more Fold in

The European Commission is well underway with constructing a ‘framework’ for housing identity data according to the principle that everyone is ‘master of their own data’: the European Self-Sovereign Identity Framework (ESSIF). This framework is intended to become the ‘golden standard’ and is part of the European Blockchain Service Infrastructure (EBSI).

Dutch senior officials are involved in building the framework. A prototype is being tested in the Netherlands with the identity data of an exchange student. The prototype also contains information from the Social Insurance Bank (SVB), the Education Executive Agency (DUO) and the Immigration and Naturalisation Service (IND).

​‘If it all works out, the Netherlands will soon be one of the first countries to have SSI with a high degree of reliability,’ is what is proudly stated in the Ministry’s online magazine. A spokesperson for Home Affairs emphasises that the use of self-sovereign Identity in blockchain is still in the research phase. ‘The social purpose is paramount, not the technology.’

However, Professor Jacobs is not very amused by the choices made by the Dutch state. ‘When the European Commission indicated that it wanted an eID, it seemed to be largely based on the technology behind our authentication platform IRMA. We had already built it. Open source, privacy-friendly. So we figured: come and have a look.’

‘But instead, the Netherlands started working on a blockchain project. Moreover, millions are being spent on it. Personally, I think it is completely absurd.’

​The lobby

In recent years, governments worldwide have been put under considerable pressure by the digital ID lobbies of multinationals, think tanks and other organisations that see the COVID-19 vaccination campaign as an instrument for achieving their goals.

This notion is hardly new. In 2018, think tank ID2020 described how a vaccination campaign in Bangladesh could serve as an ‘entry’ to further digitalisation. ‘Vaccination offers a great opportunity to give children a sustainable, portable and secure digital identity early in life,’ the organisation wrote on Medium.

ID2020 is the most influential digital ID advocacy group. This think tank was founded long before the pandemic by, among others, Gavi the Vaccine Alliance, which aims to increase global access to vaccinations. Other founding fathers include the philanthropic Rockefeller Foundation, the consultancy company Accenture, and tech giant Microsoft.

Meanwhile, more companies have joined ID2020, including Mastercard, Facebook and the aforementioned biometric start-up Simprints. The think tank ‘houses some of the biggest players,’ says Alexandrine Pirlot de Corbion of Privacy International. ‘In terms of scale, they have a huge market share in different aspects of digital ID.’

In April 2020, ID2020 director Dakota Gruener published a report on ‘immunity certificates’. It appeared under the Harvard University umbrella; however, Gruener expressed sincere gratitude towards ‘the management, technical advisory committee and staff’ of ID2020 and some scientists and staff from Apple and Microsoft.

‘I can no longer be part of an organisation that is heavily influenced by corporate interests and only pays lip service to human rights’

Shortly after publication, professor Elizabeth Renieris, at that time technical advisor to ID2020, resigned. In her farewell letter, she wrote: ‘I can no longer be part of an organisation that is heavily influenced by corporate interests and only pays lip service to human rights.’

​​Renieris foresaw major consequences on human rights and civil liberties due to ‘vaccination passports based on blockchain’. The technology, in particular, made her suspicious. Shortly before resigning, she and two fellow scientists wrote a blog post on ‘the dangers of blockchain in corona passports’. She described it as ‘more than dystopian’.

Blockchain

Blockchain is a decentralised network that records transactions and actions permanently. The technology is characterised by the fact that hacking and modifying or erasure of data is not possible. This makes it extremely secure.

That is precisely why Renieris objects to it. ‘Blockchain is intended to be a permanent and unalterable digital record, which inherently contradicts the principle of storage restriction.’

According to the European data law, the AVG, data must be deleted as soon as it is no longer required or when people withdraw their consent. But with blockchain, it is not possible to delete anything, Renieris wrote. Thus, more and more information is added to the system, information that cannot be deleted. Data is recorded for eternity.

According to law, data must be deleted as soon as it is no longer required. But with blockchain, it is not possible to delete anything

According to Renieris, ID2020 initially wanted to reference blockchain as a desirable solution in Gruener’s report on immunity certificates. She claims that in the end, that part was deliberately left out to avoid having to enter into a debate with her. But that did not eliminate the aspirations.

​Eighteen months later, more than 125 companies, institutions and government organisations have joined forces to form the Good Health Pass Collaborative, which aims to create a global standard for the corona pass. Many companies with biometric products such as face recognition techniques are affiliated, and ID2020 is the coordinator. The most recent press release from the Good Health Pass Collaborative clearly indicates which technology is considered a done deal: everybody wants blockchain.

Big Tech

One can almost always find links to the business world among advocates of a corona passport.

Key players include Microsoft, with identity ‘at the top of the agenda’ and a vast lobby network; Mastercard, which entered into a ‘strategic partnership’ with Microsoft in 2018 and is already experimenting in Africa with the linking of vaccination status, biometric data and payment options; and IBM, which participated in the blockchain QR in Germany.

The role of non-profit organisations is also interesting, such as the Bill & Melinda Gates Foundation, the Omidyar Network and the Rockefeller Foundation, who often act as financiers, and who tend to fuel conspiracy theorists.

​Multinationals hardly ever publicly appeal for a ‘corona entry pass’ under their own name. These appeals often come from foundations, think tanks and coalitions such as the Trust Over IP Foundation, the Commons Project, the Tony Blair Institute for Global Change, the Centre for Global Development and the Vaccination Credential Initiative, which almost always have partners in ‘Big Tech’ or ‘Big NGO’ circles.

‘They are pushing this agenda because they have products to sell’

​‘They are pushing this agenda because they have products to sell,’ says Pirlot de Corbion of Privacy International. ‘They are either involved in services, in infrastructure, or in access to infrastructure.’ The Tony Blair Institute for Global Change, for example, repeatedly praised the Good Health Pass Collaborative.

According to Privacy International, these organisations are not concerned with public health but with a commercial agenda. Thus ‘the deaths of hundreds of thousands of people worldwide are being misused for self-interest’.

The corona entry pass will irrevocably lead to mission creep: in other words, the wider introduction of a digital ID, Pirlot de Corbion warns. ‘Often, a single purpose is mentioned during the introduction, but then people turn around and say: why don’t we also use it for X, Y or Z?’

In Switzerland, a digital ID system was rejected by referendum. However, the Swiss will also come round, or so Ian Richards, a United Nations economist, predicts. In March, Richards wrote: ‘When it comes down to choosing between another summer in expensive mountain resorts compared to freshly grilled fish in a beachside taverna, many will probably vote already dressed in their bathing suits, download their digital vaccination passports and travel abroad. In six months, the biggest criticism of eID will no longer be that it crosses the line, but rather that it does not reach far enough.’

The model citizen

Experts have been approaching the idea of a digital ID with caution for years. Tommy Cooke, a surveillance expert at Queen’s University in Canada, and his colleague Benjamin J. Muller of the University of Western Ontario in London told Follow the Money that ‘although these systems are supposed to be very safe and reliable, they also present great risks’.

‘In six months, the biggest criticism of eID will no longer be that it crosses the line, but rather that it does not reach far enough’

‘We encourage everyone to ask themselves the following question: what does it mean to digitise identity, and what is a model citizen within a digital ID system? How will his citizen profile be used? Information in a digital ID system includes citizenship, gender, legal status, physical characteristics, personal preferences,’ the scientists say. ‘There will be many people who, on paper, will not precisely match up to the model citizen. They may be subject to travel bans, extensive checks or other restrictions on civil rights and freedoms because, for example, they have an extra passport, have travelled to certain areas, because of their work or because of their marital status.’

Brussels and The Hague seem to have come to an agreement. André de Kok of the Dutch National Identity Data Service is involved in both the Dutch and the European projects. Back in 2018, he described for the United Nations how he envisions the future of a digital identity system based on blockchain:

‘Information about the traceability of events and decisions made is of particular importance for the balance between control and facilitation; knowing why, when, who and what needs to be checked. This information is used to monitor people’s movements and their access to services and benefits,’ De Kok wrote in the report The Legal Aspects of Blockchain, for which Sigrid Kaag wrote a foreword.​

House of cards

Another and more critical author in that UN report, Paul Oude Luttighuis, already posted a  in 2017 with a completely different tone. According to him, the large-scale use of blockchain in political circles is ’a dream scenario for those who wish to accumulate power without having to account for it’.

‘A dream scenario for those who wish to accumulate power without having to account for it’

According to Oude Luttighuis, once a blockchain system has been up and running long enough and enough people have joined, it is virtually impossible to modify it. ‘In a democracy, people write the contract together. That happens within a political process,’ he says in an interview with Follow the Money. ‘But because blockchain is built on formal logic, it offers no possibility to make adjustments. It is a house of cards without the realistic possibility to intervene. This way, we will trap ourselves in an immutable social contract.’

Therefore, although the technology works in a decentralised way, the power is entirely centralised, ironically enough: ‘The central power of blockchain is precisely that contract, or whoever drafted it,’ Oude Luttighuis wrote. ‘They have one chance – and in the process, they immediately determine the rules of the game.’

Devastating effects

‘For the one setting and controlling such contracts, these may seem quite smart contracts indeed, but once scaled sufficiently, they turn into killer contracts for the participants. Can’t they leave the block­chain then? Well, only at the cost of exile, and of having to build another one themselves,’ writes Oude Luttighuis in his LinkedIn article. To illustrate that contract, he chose a picture of handshake between a human and the devil.

Although experts like Renieris and Jacobs have a different view on a digital ID, they share a somewhat sceptical view of blockchain.

Other experts enthuse about the personal freedom of blockchain, but it is the opposite of freedom, says Oude Luttighuis. ‘Blockchain is a Trojan horse. It pretends to be a convenient tool for our needs, often based on fear and distrust, but from the inside, it eats the life out of a democracy and the constitutional state. Those are big words, and a single blockchain implementation is unlikely to have such devastating effects. But the architecture of blockchain brings with it these effects, especially when deployed on a large scale in the execution of public affairs.’