Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles oder https://chat.rc3.world/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles or https://chat.rc3.world/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

======================================================================

[Music]
and this talk is about please identify yourself Thomas Loninger and Uf lerari
[Applause]
[Music]
thank you so today what we're going to talk about our digital ID systems why they exist in the world what are some of the lessons that we can learn from the ways that they've been deployed in certain countries and more importantly what's happening next and what are the ways of resistance digital ID systems tend to be quite prolific this map is just a very small indication of some of the systems that we will be talking about today it's by no means indicative of all of the digital ID systems that exist in the world but it's particularly the color red red and the color orange that are important for us color red is India where we will talk about India's adhar project which there have been talks on in previous iterations of the Congress so we'll be focusing at a relatively higher level and then in Europe there's the EI disregulation which specifically looks at how digital identity will operate in Europe and is set to radically shake up the way that more citizens will interact with their governments in a digital age the adhar project the adhar project in India is something that um sorry something wrong with the clicker so the Adar project in India is fundamentally driven and motivated by one of the stgs specifically 16.9 of the un's sustainable development goals talks about the importance of providing Universal legal identity this is the point where it's important for us to separate identity which is something that is inherent in an individual versus identification which is usually a manifestation where a government or another authorized entity tells an individual that this is how you can assert the identity that you already have this part of the SG has led to a rapid proliferation of governments funders and international institutions investing in digital ID projects because digital ID is supposed to LeapFrog many of the concerns that traditional ID systems both on issuance as well as fraud have faced in the past and the country that has tried to do this in its most ambitious scale is India with the adhar project
the adhar project in India currently has between 85 to 90% of the Indian population enrolled that is over 1.2 to 1.3 billion individuals who already have an adhar project the adhar project has many security and privacy concerns it has many exclusion concerns and while we'll be going over them in some detail in case you'd like to get into them please do listen to The Talk that Kiran gave at the last Congress that actually does a deep dive into a lot of these concerns around the adhar at a fundamental basic level the adhar project is a concept that says you don't need a physical ID card in order to identify yourself there is no chip there are no ways in which the card contains information instead your Biometrics are used to issue you a number and in order to issue you that number and ensure that there is no one else like you in that system system there are three main components that are ingested in order to carry out duplication your iris scans your fingerprints and your Biometrics as well as your photograph that is taken when you sign up for this system all of these three things are combined to issue you a unique 12-digit identifier that stays with you for the rest of your life if it's compromised or if it's even made publicly available it cannot be changed there is no con provision under the laws that govern the Adar in India for that identifier to be reissued to an individual and most of the risks that stem from biometric identification in most ID systems are magnified in the Adar project because it is you your body that serves as the primary identifier whenever you want to authenticate yourself using the Adar that also leads to some pretty interesting scenarios for how the Adar project was actually rolled out in India this graph is really interesting because what will showcase to you is that the law that actually created the adhar project was passed and introduced in late 2016 and passed in late 2016 early 2017 and
the really shocking part is that over 980 million individuals were enrolled in the adhar project before there was a democratic process to create a law that would govern how the project should work in practice instead there was an executive Authority that was established in India in order to push the project through and ensure that enrollment could start taking place well before there was any concrete legal backing to the project this led to a lot of push back from Civil Society within India which apart from its security and privacy concerns argued that it's really important for a project of the scale and the magnitude of the Adar to go through uh inner democracy the deliberative process that via laws and regulations rather than merely executive action and that's the first trend pattern that we will talk about of how societies and democracies engage with digital ID after that as enrollments continued we've also seen a second varing Trend the fact that the adhar which was initially proposed as an identifier to perform one purpose has slowly crept into various aspects of Indian life we've seen it being asked for school enrollments children under the age of 2 to 3 being asked to sign up for the adhar where on the right hand side you will actually see a tweet from the official Adar account actually asking for individuals to register their children sometimes even before they have a birth certificate on the Adar project ignoring the fact that Biometrics often change and evolve as as individuals grow over time especially fingerprints and this finger and this scope creep has also led to this mandatory voluntary nature of the adhar project where officially according to government policy the adhar is not required for school enrollments and this is something that the government has clarified however in practice it's much more common to see that you will simply be refuse Services both in the government as well as in the private sector until you provide these details and another
aspect of the adhar project is that it is merely the foundation of how India as a society is approaching digitalization there is a concept known as India stack and it's created by a voluntary group called iert in India and they envisage the adhar being the foundation of a lot of the interactions that one would carry out in society the presence in Slayer which talks about how the biometric identity that you have will allow you to assert your identity digitally the paperless layer where once you have asserted your identity official documents can be issued to you in a completely digital format once the identity in the documentation piece is established you could enter into Financial transactions and relationships which has is called the less leer and is behind some of the most successful projects in India on the financial inclusion front such as the United payments interface or UPI and ultimately the consent layer where all three of these and just even one and two can be combined in order to allow individuals to exert their consent for All Digital interactions the one thing that I will suggest we also keep in mind is that this idea is not unique to India the UN is currently considering dig public infrastructure or DPI as a big Focus as a part of its work and a way to actualize sdgs and many of the trends and Concepts that I've just spoken about here are things that Thomas will also talk about both in the context of the EU but also with regard to how these projects aerating elsewhere in the world with that I'll now hand over to Thomas to talk about the eidas thank you UTB so as you might have heard we've recently concluded huge reform in the European Union to establish a harmonous digital identity scheme the starting positions in the EU are actually quite different we have very different systems in member states and the penetration the uptake are also sometimes above 90% sometimes below 10% and now the EU wants to harmonize all of these various digital identity system
we what to call the European digital identity wallet and you've guessed it it's an app on your smartphone that you as a holder can have and it can store your national identity or your residency card or also other attributes that can come from the public or private sector these can be your driver license your age it could be University degrees but also customer royalty cards it could be uh Financial scoring information or also your Covid certificate whether you have been vaccinated or recovered from any type of disease and all of this Trove of personal data can then be used whenever you authenticate identify verify attributes or sign documents Visa so-called relying parties and again the system is open in in terms of what a relying party is this could be a bank or a telecom company that legally is obliged to identify you before they can have you as a customer it could also be the police or border control it could be uh whenever you are going to a theater whenever you are doing any type of e-commerce um this is really a universal system to identify authenticate and verify attributes about a natural legal person Visa government or private sector online or in physical proximity in an offline scenario and the commission has high plans for this they are aiming for 80% penetration in the European Union by the end of this decade so this should become something that you come across um every day in a few years when the system is rolled out and the law actually makes sure that you will come across it in case you use any of the big Tech platforms so um the Facebook Google Twitter they are all required because very large online platforms to offer this government wallet as a means to log into their service and I don't think it was intended but uh recently also porn platforms like PornHub were classified as very large online platforms so you can also use the government wallet to log into PornHub um it really it is one tool to rule them all it is one size with all solutions and one level of security of technical assurances
to buy cigarettes or do your taxes to um open up a bank account or to uh log to Facebook and this Universal key of course contains many risks but before we look closer into Europe giving a b buff thanks Thomas as we talk about risks we'll both be talking about some of the risks and how they manifested in India during the deployment of the Adar project as well as some of the risks that exists within the eidus framework in India some of the biggest risks have been around exclusion this idea that the Adar would be compulsory if you were to procure government services such as access to your rations admission into schools access to banking services are were all issues that led to a fair bit of pushback by civil society as well as many other interest groups in India a lot of these protests were quite successful in that it forced the government and the entity and implementing the Adar to make it clear when the adhar was mandatory and when the adhar was not mandatory however it didn't completely fix the problem because of what I'd mentioned earlier if an provider refuses to provide you a service unless you're providing the adhar it's usually much more convenient just to give them that piece of paper than to tell them I have a copy of a government order that says that the Adar is not mandatory in order to provide the service this mandatory voluntary nature of the adhar is one of the bigger reasons that exclusion continues to be a concern despite ways in which has actually been addressed in law there was also a very important risk of how the Civil Society organizations that were pushing back against the Adar were characterizing as those holding back India's progress into a digital age and were sometimes targeted as individuals who were anti-national and not in the interests of India making it much harder for their arguments to gain like Credence in mainstream organizations and press then came the privacy insecurity risks this is a graphic
from uh the times of India newspaper in India from earlier this year that has documented that there have been at least 210 instances of leaks from concerning Adar numbers now the Indian government's stated position is that the uad database that is the centralized database that stores the AAR information has not been breathed so far but the truth of the matter is that that database does not need to be breached in order to access very sensitive information that is present in the adhar and that's for a variety of reasons the first is that there are documented instances of the information that is present in the Adar database also being present in other databases that are OCC either run by government agencies or by state governments some states such as telengana have been shown to have operated State resident data hubs which were populated with information from the Adar database when individuals in that state were signing up so in order to access this sensitive information you don't necessarily need to compromise the one centralized data place where this information is present but there are far lower hanging fruit that allow malicious actors to essentially achieve a similar outcome and one of the more obvious ways in which it happens is the screenshot on the right which is a screenshot that was was released as part of news reports where a government agency in a state in India was using the Adar in order to carry out attendance and biometric verification of attendance which was then access by by malicious actors and data from that was pulled in and then made generally available for individuals to purchase either on the public web or on the dark web as well and finally there is the scope creep this idea that the Adar as a single identifier should be one that allows individuals to link their services to each other so that governments can be sure that they are who they claim that they are on the left hand side you will see an official post by the election commission's St
ate office in a state in India asking people to link their Adar to their voter ID cards something that so far according to law is not mandatory in India but as you can see from these like posts is very much being encouraged by the government and the image on the right is actually a promotional post that was put up by a company called ongrid that was promoting its services of being able to perform background verification merely using an individual's Adar numbers where while this image itself is from 2017 before the legal case that we I mentioned earlier actually came up right at the bottom you'll notice it says enter OTP and that's in fact one of the most common ways in which Adar information is actually utilized in India merely an SMS that comes to a registered phone number which as we all know has various security and privacy risks and is not recommended as a second factor of authentication in most secure systems in the world but yet it is used within the Adar and is in fact one of the most common things that is used used in uh the adhar and finally there is this idea that the adhar is a battle that has been complete this is nand Nilan one of the co-founders of a very large Indian company called infosis as well as one of the chief Architects behind the idea of the adhar project from at least 2007 to 2008 and this is a quote that he actually has given in the recent past saying that the adhar battle is now a part is complete because the adhar is such an ingrained part of Indian culture that it's a done deal and it can now serve as the foundation for other efforts which makes push back that Civil Society or digital rights groups might do seem like a lost cause because once it has been rolled out at the scale at which it has and everyone is already using it how much can you really work towards making sure that it's is not uh that that it can be improved and if things are working fine anyway and this also is something that has spread elsewhere around the world the lesso
ns that were learned from the Adar project were key in many of the the decisions that were made around the world to bring forth the problems of the idea of exclusion which is how digital ID projects despite sometimes being intended to simplify processes for individuals end up excluding them either due to the lack of public infrastructure including the internet and electricity as well as flaws in the technical designs of these systems themselves and this is also something that we've seen increasingly start happening in Europe as well this is actually a petition uh that garnered over 600,000 signatories on uh change.org that was run in Spain by pensioners demanding that there be a way for them to be able to access their financial entitlements in a physical manner because Mobile Banking and was the only way that a lot of banks were providing those services and they did not have the digital literacy in order to be able to access them showcasing that digital exclusion by no means is something that is only limited to the global majority with that I now hand over to Thomas to talk about how of these risks have played out in the etis too thank you well so let's talk about overidentification which is I think a very important helpful frame to actually capture the risks that these systems entail for everyday situations right now we very often can rely on anonymity uh in the absence of these digital identity systems and ous facial recognition you can walk across the street go to a shop buy something nobody knows who you are and it's exactly the type of anonymity that is at stake with these systems we have seen various attempts across the world but also in Germany France or Austria to establish real name laws on the Internet or some type of registration before you allowed to post very often these proposals could only be prevented with the cost of identification which is actually quite High we are talking about a few Euros that you have to multiply for millions of users these gov
ernment run systems could set the price to null and of course if you have these systems ubiquities in all areas of life suddenly the big question of observability comes into place if you are able to correlate the actions of an individual um in the health sector in the financial sector in their labor market in their private life in their interactions with the government you know a damn lot about that person and uh sadly we cannot solely rely on the gdpr with protections on that in many of these physical situations consent is simply not enough um there are obvious flaws in the gdpr that's why the law is currently being reformed like pay or consent or prohibition of tying all of these weak points will come into play with these systems and that's why we have to talk about safeguards and we are now at the end of the European reform so we also can take a look back on the most important safeguards that are in there and let's start with the good um the one basic idea that uh when we got on our shoulders the weight of this reform was the idea to have a non-discrimination provision to really protect everyone in any individual situation when they opt not to use this new system so we established this idea as something like a wild shot and then thankfully it was actually taken on board by all four committees in the European Parliament with a huge majority and it made it through in the final law so you are protected with any type of government service the labor market or the private sector so that you cannot be asked to pay a higher price ref us the service or hindered in any way just because you're not using this system you can always rely on Alternatives it can never be mandatory the second important thing was the unique persistent identifier these lifelong serial numbers for humans uh we just heard uh in India how atar is a very central part of the culture of society Scandinavian countries actually have similar behaviors and cultures around their serial numbers um but we could
actually prevent these unique persistent identifiers to become mandatory in the EU and we are completely deleted all of the references to something like this in the legal text and there are other safeguards we can rely on First and formost a right of cimity whenever you're not legally obliged to identify yourself like with a bank or a telecom company with uh in a country with a SIM card registration then you can always give them a pseudonym um when you prove something about yourself um it most likely will be done in the form of a zero knowledge proof that means you can prove a fact about yourself without revealing to underlying data classical example proof that you were above 18 without giving away your birth date and then very importantly and getting that through was really a hack in the negotiations unlinkability this principle establishes that um whenever you are interacting with a relying party and again you're not identifying with your legal real name CL then they are technically prevented from correlating that so there are no uh public keys that could be hash nothing that can actually be used to track and profile you this is a clear requirement in the law for any type of technical implementation in the system but it's not all about Tes we are dealing with companies so it's also about regulating the use cases and the business models and there is a strong use case regulation any riing party any company that wants to use that system system needs to go to the National Authority have the use case registered with exactly the amount of data they want to ask from users and they are technically limited to that registration and the whole list of registrations is up for public scrutiny online available these are good things let's talk about the bad things we failed to establish um a safeguard against Biometrics being a precondition of the system so you can be asked to use uh face ID Touch ID in order to use this digital identity wallet um we've already seen in a few cou
ntries where this requirement exists that is a huge show stoer for people they don't want to use their Biometrics with any form of government ID system and so that sadly is not a requirement so it will be left for member states um the most severe admission in the Articles of the law is the unobservability I talked about this P Optical view you could have if the issuing authority to government knows everything you do with the wallet every transaction that you even attempt and we really wanted to prevent this level of observability but it's only in the recital so it is a can kick down the road so we'll see in the technical specs whether we can actually get this solemnly enshrined in the text um but we have a Fighting Chance because in the recitals we have enough things to fight for which ugly things and muddy things are also worth mentioning um I think that heckers will have a lot of fun with the system because particularly in the first few years there's no common certification scheme uh in terms of how to make the system secure and honestly this certification scheme I'm not truly convinced about that like having a stamp this is secure is not always really secure we all know that um but nevertheless there will be widely varying security levels in the beginning and so that's certainly something to have fun with we have a little bit of an open source obligation so at least the application components of the app need to be open source but um not a back end and there are also security exceptions and of course it's only open source it's not free software although it's public money thanks Thomas very briefly I'd also like to talk about some pretty interesting statistics and this image is actually from 2019 uh but at that point in time well over a billion people were registered in the AAR database of both what are some of the measures that have been implemented in the Adar ecosystem in order to address the security and privacy concerns but also what are some of the trends of
how individuals utilize their adars probably one of the most interesting statistics is the fact that the vast majority of the use cases despite this actually being a digital ID continues to be in the physical world which is that the two most common manifestations a card which is essentially a laminated version of the Adar not a chip no like no nothing that sets it apart or makes it unique and photocopies continue to be the two most dominant ways in which individuals actually utilize the Adar in an Indian Society despite it being a digital ID and the measures that were implemented in order to address some of the security concerns were a virtual AAR number very similar to the right to sud anonymity that Thomas spoke about where you can generate Adar numbers and share them with providers rather than your core Adar number itself so that even if there is a compromise you could remove or delete that virtual ATAR number which you can issue in a limited amount which is something that very few people actually go into your the Adar dashboard and create for themselves then in order to address the card in the photocopy uh idea there was the master Adar where certain key numbers are masked in a manner where even if the physical copy of that document is compromised or a virtual copy of that document is compromised then all the sensitive information is not necessarily present on it while still allowing using the QR code and other measures for basic authentication and use cases to actually take place as well and this is also the point where I'll highlight that some of the more interesting lessons that were learned in India played a very big role in the conversations that have happened around digital ID elsewhere in the world it's one of the reasons why when we made Arguments for why pseudo anonymity is important under the eidus regulation like Thomas did we were able to point to examples from what happens if pseudo anonymity does not exist as an example and that was true for a lot of
the other solutions that are present in the eidus regulation as well. Finally there's also litigation and when it comes to litigation many other projects that were inspired by the India's adhar model such as Kenya's digital ID project were actually struck down by quotes the Kenyan project the original one from about four years ago actually collected DNA information apart from a lot of this other sensitive biometric information and it was struck down by the court in early 2020 on the basis of the fact that it was true privacy invasive and ultimately that entire digital ID project was shuttered and a new variant was recently launched about a year and a half ago that is better from a privacy perspective and also led to Kenya actually having a data Protection Law both of this were parallels in India where the supreme court judgment helped tweak the Adar to make it slightly better than what it was but also actually led to conversations about whether Indians enjoy a fundamental right to privacy a conversation that for the first time in the Supreme Court and as a society in a big way we really had only in between 2015 to 2018 which showcases how digital ID projects can precipitate conversations in societies because of the amount of information that they collect with that I now hand over to Thomas to talk about dpis and world domination um so we have not actually completely concluded the European process formerly speaking there's one last vote happening on February 6th in the plenary of the European Parliament but we really don't expect there to be any showstop of cuz we had a huge majority already in the industry committee and so this 2 and a half year uh reform is about to conclude and we are heading towards the techical implementation which should be finalized by August of this of next year and you can expect the wallet then to pop up in a few countries and by 2026 the obligation kicks in that every member state has to offer at least one of these European digital identit
y wallets to the citizens and residents and the technical implementation as we are at a Hecker conference it's actually being developed by um the EAS expert working group so this is a group that consists of government officials uh a lot of Industry influence very opaque you really cannot get anything out of there except with leaks and we got a few leaks and we are right now in the process of analyzing them and uh this is certainly something where the modem area so in case you want to help with that um we'd be happy to collaborate and it's important to note that EAS is just one piece of the jigsa puzzle this system is already the basis and been mentioned and referenced in other legislations we have the European health data space which um I don't know whether we have a talk this year about it but it's certainly a very important issue that also requires our attention because it will create an exception to the gdpr it is the rule the law governing how we are actually um um dealing with our health data when we go to the doctor to the hospital to the pharmacy and also secondary uses to this data for research purposes uh of course there will be driver licenses there's a directive for that that includes the wallet we have age verification as a huge part of the chat control Builder caesa regulation and of course the digital Euro um this is another load that we are working on you can find position papers on our website on that and this new currency that Europe is creating will also live in the same wallet and it's not just Europe and it's not just India this really is a global wave that's why we started with an incomplete world map we see these systems popping up everywhere um there is interest from the World Bank from the UN from many actors in Rolling them out and a lot of money behind it and so there's now a process by the um un Tech Envoy called DPI minor safeguards org which aims to establish worldwide safeguards for these digal public infrastructure systems and they act
ually try to do the right thing they also try to be quite open how much we can honestly um believe that is still up uh the verdict is still out uh but we certainly have a timetable that's quite ambitious for this year uh ultimately these rules will be voted upon and decided between governments and uh believe me these un processes are uh even worse than any parliamentary process you have seen But nevertheless there are ways to influence that and there's some transparency that we can expect that's another thing where we can engage and I would also like to summarize maybe a little bit what the axes of resistance are that we've highlighted here and this should this talk should not leave you in despair I'm always trying to um give you hope because that's the only way we can do politics um we have seen in Kenya that A system that was meant to really collect DNA information from everybody and be rolled out Nationwide was stopped in its track with a successful strategic litigation similarly in India several of the court cases have done um tremendously good successes so strategic litigation can work protest can work we need to see to make visible for everyone that be care about these systems sadly with the European reform I would have wished for much more public scrutiny but it's a European thing it's fire away um hacking Works tremendously well so any form of U responsible disclosure uh showing that these systems are nether secure nor trustworthy is uh very helpful this happened in in Germany recently and so I hope that Um this can be replicated also now with the European system and lastly advocacy um we've done a lot in terms of parading amendments policy papers meetings with politicians media work just getting the word out making people understand why this whole thing matters is vital for getting it right and on that note we want to end um and uh just tell me that like just down the road there's an assembly of epicenter works I'm going to be there uh the next three days f
rom uh 7il 99: we also have two self organized sessions on the EU on net neutrality and campaigning stuff and um please come and talk with us all of our work on this whole issue of electronic identity was funded by individual small donations we never received any grant money for that so um please consider becoming a supporting member uh these are the people that make this work possible thank you so we have 10 minutes of uh time left to have some questions oh the first ones are already coming in is are there any questions from the internets yep then let's start there uh the internet would like to know uh is it possible to Black List and out our number and effectively cut someone off from the economy entirely so there hasn't been a documented instance of that happening so far um and that's largely because the uad as an entity only takes the responsibility of issuing Adar numbers and the law doesn't have a provision for it to be stopped or blocked but it's something that hypothetically certainly could be done but we haven't had any documented instances of it happening so far out of a deliberate action it has happened in the past where people's by like the duplication has not been successful and people have claimed that there is already someone like them in the database um but that's much more I think a consequence of the technical flaws of the system rather than a deliberate action on part of the government um please have brief questions because I know it's a topic like politics but please take it very brief number two please I have two questions one um I've seen in India we don't have a full coverage by this outar system so this was a question how those people who are not in the system uh what kind of people are they they are resisting or just not you know somehow excluded and the other question goes to you Tom um are we going to have in Europe This virtual uh EID number I like that from India that's part so two questions so on uh the reasons there is a small fraction
of individuals who have resisted in India but much more so it's individuals who don't have the ability to sign up one of the main characteristics of the Adar is while it's considered a single identifier the only way for you to get it is to have other identifiers so whether it's your address whether it's your identity whether it's your age all of there are lists of other government documents that need to be submitted which either many people don't have or live in localities where sign up boots are so far away that they haven't managed to get it or sometimes their identity has been stolen and has been used by other individuals in order to create other numbers in their name which therefore they cannot exercise so it's very much a case of uh design and exclusion flaws being much bigger than the people who are resisting who are present but it's a small fraction thanks to answer your question about Europe so ultimately no we don't uh we started off with the worst case scenario with one number to Ru the all for private public sector we discussed a lot of variance also p cimity and ultimately we could delete all references to any unique identifier um there there of course still is matching in case of crossborder situations when you have a Swedish citizenship but you're living in Germany then there is a mechanism to match that individual but is only crossborder scenarios um mind you that you could of course still have attributes that serve as identifiers customer royalty cards and for example Estonian social security number will still live in a new system as an identifier that comes from the government and will be used like any other attribute but the European system does not contain any of these unique persistent identifiers M and number one please yes um I have a little question about op sourness of the systems they're now developing the wallet uh for the European identity wallet um what I see there is they're using the iso Moc standard which is a Clos paid standard um is
there any way to continue fighting this to Open Standards or is this a done deal so we actually tried in an early version of the law to have an obligation to only use Open Standards the council wouldn't have it and they really used the dirty arguments in terms of like sunk cost and and and uh private interest so um there is of course huge interest from the big vendors in Europe to have this go their way towards propert Solutions um and that's exactly this architecture reference framework discussion that's happening right now um that will be concluded in August where we need to comment on all of these standards right now they haven't really made too many decisions and they they have to do a lot of work to actually include the safeguards the parliamentarians now have adopted so there is definitely hope to change and improve that text but it needs to happen the next months okay I'll start typing thank you number two please hi uh thank you for the uh talk I wanted to talk about maybe having an daty theft in diar because um from my knowledge the um biometrical data is rather easy hacked is there any other way to identify in a two-way identifier else than the phone like RSA or something no so the that those were the suggestions that Civil Society gave when the project was initially being rolled out and the only mitigation that has been done and even that hasn't been enabled by default is that the Adar dashboard now gives you the ability to lock your Biometrics so if you go in there and lock your Biometrics uh once you've locked them you can only unlock them in 10minute intervals within that dashboard so if say someone were to make a copy of my fingerprint and attempt to use it somewhere else unless they also had my phone number and could receive an SMS that lets me access that dashboard online which is not difficult but still a like just a slight step of friction then those Biomet would not end up working so it's very much your fingerprints your iris and pretty soon your
face will be the only ways that you can authenticate yourself via the Adar apart from your phone number Via unencrypted SMS okay thank you a question from the internet please uh so the internet would like to know uh do we know what's prompted the creation of these systems uh like atar and what's the main use case that the governments are focusing on when advertising it the primary reason that the adhar was created was because there was a widespread belief in India that traditional ID systems such as ration cards which gave you access to your public uh you know uh uh resources and rations were ones that were so subject to fraud um that and there were so many people down the chain in the chain of how things got to people that a digital ID system would let the government transfer subsidies directly into people's bank accounts so there was this image painted that this identifier will remove all corruption and allow for money to be able to flow into systems in a manner that is much more reliable uh there were some studies that were done that showed that this was the case but many of those studies since then have actually been very widely discredited um for having various flaws in both their economics as well as their technical methodology uh which is the origin now it is just a very easy way to know everything that you would like to know about a citizen and or a resident and most governments love doing that just to maybe also ask a question for answer this question for other reasons so we we very often see the spin from World Bank and other un organizations that this is about efficiency and ultimately there is a kind of mistrust Against All Humans uh that is kind of a driving Factor um in Europe it was strongly economical arguments Estonia is always using the billions of money saved in the GDP with these systems and in the EU uh impact assessment the Inception impact assessment so like very early on they already had one thing clear this system will be used for the priva
te sector so they want this to also serve private corporate interests and all the other things like the European health data space the digital Euro these are things they left out like the government uses of these systems were not advertised when this in reform was started so we have time left for three fast questions so number one then the internet then number two okay very quickly you answered my first questions which is B basically what's the reason uh for these systems and basically you said economic efficiency uh your counter argument is that these systems can be used for surveillance and my question is then what do you both both of you propose as a system that would work for economic efficiency that will be not be used for surveillance? I mean this really touches on the on the big big question can these systems ever be safe can they ever not be exclusionary towards the most marginalized parts of society uh can they ever be so bulletproof decentralized that they cannot be abused by a bad actor or government and the verdict is out we don't know yet and that was honestly the weight on our shoulders when we did this reform um cuz it was clear that these these systems in the minds of many policy makers are inevitable and so it's it's actually we we got a lot lot of attention from politicians from all across the political Spectrum with our ideas to reform this um and I can tell you that not even the people that negotiated this thing for the parliament slept well um so yeah the ver is still up number two please very brief uh yeah hello I was surprised not to see the Ukrainian EAD case so I wondered whether he had an opinion on it because it was although Loosely regulated and fastly legislated technologically sometimes better than like some other Alternatives and without Gathering of extra data um so I would love to have a discussion with you and and also learn more about Ukrainian case I know a little bit also the relationship to Estonia and for this talk we simply did
not have the time like we covering any issue with a global scope is super difficult so we try to do everything Justice we touched upon but you're right that that would have totally deserved more attention thank you thank you and the last question from the internet are you personally optimistic for a privacy and security preserving standard or will it be a race to the bottom to find a compromise between all stakeholders I think so there is a lot of very positive standardization movement in terms of privacy preserving Technologies in this space but a lot of the good ideas are really still in research stage I think that in the like 3 to 5 years we'll have very good standards that are ready for production and that are robust right now actually the edas expert working group is solving an impossible task because these standards are too early the the discussion in Academia is still ongoing I have trust in the outcome of these standardizations cuz we have also seen this in the co pandemic how creative people can get in terms of really enshrining privacy and Technology um but uh the the the strong Push by lawmakers to have these systems now or yesterday is kind of at ODS with um the reality of the technical specifications thank you very much for the talk have a warm welcome a warm Applause Forda tari and thas linger thank you very
[Applause]
much
[Music]
la