Digital Revolution

Chapter 5 - Digital Identity

Sharing Ideas, talking with someone, exchanging information, solving problems has never been this easy. Social networks created a structure that allows us to do this simultaneously; they are the new “hubs” of the internet. In this new virtual interconnected world, connections have a bigger importance. Thanks to social networks (Facebook, Linked In…) anyone can measure his own “social power”. How many friends do you have? How many “likes” do you get? How fast can someone find your virtual profile on the internet?

This power leads to many things. Strong communities capable of organizing vast events are created. We have seen that revolutions are made through this new medium. There is reason why some countries (China, Iran…) try to limit its usage. But this new power allowing people to fight for their freedom has a flaw: a complete transparency.

How many information previously hidden are today accessible to all? There is multiple examples: price comparators, studies, geolocalisation… It’s not necessarily a bad thing. Indeed, this transparency guarantees more efficiency and reduce the risk of unpleasant surprises for consumers. You have access to multiple sources of information.

However people must keep in mind that this is a double edged sword. Transparency works both ways. Every move you make is monitored by companies, by governments or simply by other people. With this new power comes great responsibilities, people have to be careful and control their virtual identity. Once something is typed, sent or uploaded on the internet, there is no way back. Moreover it is very likely that this will stay online virtually forever. The protection of everyone’s Virtual Identity is becoming a critical issue for the years to come. The major problem in the digital space is knowing with whom you are interacting. Currently there are no ways to precisely determine the virtual identity of a person. Even if there are caracteristics associated to a person's digital identity,they can be changed, masked or dumped and new ones created.

Privacy Versus New technologies

The information technology sector is constantly changing, with smartphones becoming faster and smarter. By developping new technologies, companies use these technologies to create new businesses. But how to make sure that privacy and protection of personal data are not forgotten ?
In the context of new technologies, protecting privacy and trying to regulate issues related to civilian privacy is a new challenge for governments today. They try by introducting new laws to protect its citizens from cookies and internet hacking, but it is becoming really hard to do so, as social networks and new technologies sector is constantlt expanding and developping. Today, location tracking is not surprising no one anymore. Smartphones users do not use the technology completely freely; they are not completely assured they are safe when sharing data with other users. Booking flights tickets and hotel room is really easy and take only 2 minutes. Users trust hotel website and do not imagine being stolen while putting their credit card number on the online booking system. Banks now have set up protection service, while booking online, users receive by sms a code to assure no one else is using their credit card. Parents want to protect their children from internet Parents are now really scared and want to protect their children. We, users, have no idea of what is going on behind the screen. When we think that every question our children asked and every statement they have made is now stored on a hard drive somewhere. Parents try to warn them about never revealing personal information online. At the same time, people feel anonymous on the net, and most users behave as if they cannot be seen. Users feel free to say whatever they want online, which they probably would not have done in the real world. Indeed, using new techonologies such as social network to expose photos and personnal information about what they do and where they go is really common today.

The right to be forgotten on Internet: a fight that lasts since 2006

What is the "right to be forgotten"? (Also known as RTBF)

The right to be forgotten is a concept or notion that appeared in European Union and Argentina in 2006 which has been put into practice in many countries all around the world. It is a derivative from numerous laws that consists in protecting private information about individuals. It basically gives the right to a person to delete definitively “any information relating to him/her”, whether they are true or false, valid or obsolete, on the Internet.

It is a real contradiction today because on one hand, users care more about datas they transmit as profiles can be established by exploiting them, and on the other hand, users disseminate information more important and complete that can be useful in their every day or professional life.

=> So, we could say that it is about finding the right middle in terms of privacy protection and use of datas.

To be forgotten on the Internet, be forgotten by Google, Facebook and others can seem impossible. Nevertheless, since May 2014 all citizens of the European Union thanks to the European Court of Justice may request deletion of web pages that contain personal datas that are “not relevant," obsolete" or "inappropriate". However, the chances of getting a positive answer from the search engine are still low. Indeed, in eight months 50,000 requests were submitted to Google via their online form by French Internet users, but the positive answers rate of the Internet Giant was about 42% in January 2015. This proves the interest of companies for datas that we put online.

The right to be forgotten against the right to speak up?

Many argue that the right to be forgotten would also mean restraining individuals to exploit their freedom of speech while so many people have fought in favor of it for years and are still fighting for it in some parts of the world. As a matter of fact, as the law specifies that “any information regarding the individual" could be deleted on the claim of this one (i.e.: not only information that he or she would have personally submitted), this would require to check any kind of information, regardless of its sources, that would have been posted by others (such as companies for example, that is to say mainly giant companies like Google and Facebook as mentioned earlier). However, critics have claimed that this would result in censorship and reduction in the freedom of expression in many countries as well as impacting big companies’ activities in such a violent way that even individuals could be affected in unexpected manners.

Furthermore, it is also about precising what do we mean by “inadequate”, “irrelevant”, “no longer relevant”, “obsolete”, and so on. Indeed, what does it mean to be relevant ? Relevant to whom ?

Even if people are not unanimous about this concept of « right to be forgotten », it does not prevent companies to make money with it.

This digital revolution that we are living today creates new needs that companies clearly understand. Have a good online reputation is one of those needs that people developed with time. If people are looking for a job for example, it is more and more common nowadays to have recruiters who “googlize people”. Companies specialized in online reputation help people to have a clean digital identity.

But we can ask ourselves something: is it normal for a person to pay a company to remove information about himself that can be wrong? Why companies have to take advantage of this kind of situation?

The right to be forgotten is still then a concept that has its lot of issues that need to be discussed.

The use of anonymity to protect one's identity

As traceability can be done on the Internet, anonymity seems to be one of the solutions available to users to protect themselves from these tracings but also to protect their personal data. The degrees of protection and access to anonymity are different depending on the usage an user has of the Internet or according to the degrees of "confidentiality" of the data it seeks to protect. In fact, there are three ways that can be used to protect one's privacy.

Protection of the personal informations

This level focus on the behavior of the users on the web and not on the tools that can be used to reach anonymity. It is indeed useless to try to reach a certain degree of anonymity on the Internet if you exhibit your life and little secrets to the world on Facebook.

Protection of the personal information This is the second level of anonymity on the Internet. In fact, many companies offer their services in exchange of your personal information. Such services collect the latter for financial purposes. It is the case for example of Google which collect all the personal data and record all the queries for targeted advertisements. In this case, the Google’s “don’t be evil” motto does not apply. Hence, in order to avoid to see your personal information collected, it is recommended to use alternative services. These includes:

  • Using a privacy-oriented search engine that does not track your searches such as DuckDuckGo
  • Using an alternative e-mail address that does not scan the e-mails you sent or received

Browsing with anonymity The final step to protect your identity on the Internet is to try to be as anonymous as possible. It is not an easy task as IP address and traffic are continuously tracked and analyzed by different actors (websites, search engines, social networks, internet service providers or ISP…). There are some tools that can be used to increase your anonymity including:

  • Web-based proxy: affect all the traffic going through a website and route it through a proxy server
  • Proxy server: server that route all your traffic to mask your IP address
  • Virtual Private Network or VPN: encrypt all your traffic (even your ISP will not be able to analyze it)
  • Tor Browser: relay your traffic through a multitude of proxy server before reaching the final destination

The bottom Line

One’s have to remember that complete anonymity is not possible when browsing on the Internet. All of the methods described above are only a way to increase your anonymity but will not guaranteed it. A good example is the infiltration of the CIA in advanced infrastructures (such as Internet cable) to spy on people. As the latter has proved to be able to analyze encrypted data, it may be a sign that even the technology used to become anonymous is outdated.

The use of digital identity in electronic services access

A digital identity is a kind of online ID card. Informations about the user are given by himself, in order to be known by the system. These informations are necessary to identify users and to authorize them to get access to the resources or the services provided by the system. In the context of e-government, such resources are for instance citizen or business services, such as Facebook or Linked In. So all these procedure before getting into the system are necessary in term of access control. Before a user with a digital identity is granted access to a service, several processing steps have to be performed. The first step is to obtain a form of digital identity. This may be a user name and password, email or even a nickname. Generally a user typically has several digital identities created by distinct issuers. Before creating any form of digital identity by a person, the issuer performs a process called registration. In a registration process the issuers check whether the digital form of identity is from the right person and whether the person match with all the prerequisites and is entitle to the given form of digital identity. In centralized, closed systems where users are known a priori, the traditional process of access control is used. In a centralized system, users are identified, authenticated and finally authorized. The process of access control usually comprises the following steps:

  • Identification: the user claims an identity, by giving a user name and a password.
  • Authentication: the claim of identity is verified by the system and check the match is the appropriate account.
  • Authorization: the system determines the actual rights of the subject. This usually entails looking up the right of the identified and authenticated user in an access control list.

So the time line from the registration to the E-Service is like this:

Registration > Digital identity > Identification > Authentication > authorization > E-Service.

However, sometimes the traditional approach to access control is inadequate. In a large-scale system such as the Internet, the set of users is not known a priori. Furthermore, subjects and resources often belong to different security domains administered by different organizations. In decentralized settings, the process of trust management replaces the traditional approach to access control. This approach bases authorization decisions on digital credentials. In trust management, service providers specify their access policy in a trust policy file. For every protected resource, this file states a set of credentials that a user must hold in order to be granted access. A trust engine processes this trust policy file. When requesting access to a protected resource, users present digital credentials to a service provider. The request and the user’s credentials are then passed on to the trust engine. Upon receiving a request for authorization, the trust engine verifies the user’s credentials and makes an access control decision in accordance with the trust policy. Only if the user can prove possession of the required credentials, access is granted. Trust management relies on digital credentials, which convey attributes in a trustworthy manner.

Digital Identity and the rise of Digital Identity Management

The rise of internet, websites, social medias etcetera has lead to a new opportunity for Digital Identity Management.

That is to say the ability of protecting and controlling data, often helped by a specialized company.

Security, access and privacy protections are major concerns of Digital Identity Management but it is also a way of controlling one’s interaction with the online environment.

It is a way of building trust and confidence regarding the internet and thus allowing innovation.