Alexandre Maravilla

The recent rise of Web3; the new evolution of the Internet to make it decentralised through Blockchain, is also bringing a lot of talk about decentralised identity schemes and their application in this new and seemingly promising evolution of the networked world. In summary, the evolution of the Internet can be summarised in these 3 stages: Web 1.0; 1990-2005; open protocols (the Internet of directories) Web 2.0; 2005-2022; closed platforms (the power or the " big brother " of Big-Techs) Web3; 2022-on; decentralised Internet (more democratic and private internet) For its part, the evolution of Identity linked to that of the Internet can be summarised as follows: Identity 1.0; centralised identity (username and password) Identity 2.0; federated identity (identity-related data as business) Identity 3.0; decentralised or self-sovereign identity (giving control of identity back to users through identity wallets) Username and password (Identity 1.0) We refer to this model as centralised identity because each digital service provider or platform (ecommerce, banking, telecommunications, streaming services, etc.) stores the information and personal data of all its users centrally. We access these services with our username and password (in most cases), creating as many different identities as the number of Internet sites to which we register. Storing the identities of thousands or millions of people in databases is a problem from the point of view of digital service platforms, both for them and for their users. These centralised databases are a tempting target for cybercriminals, who illegally try to appropriate the personal information stored in them. The purpose of these acts of cybercrime is to make a financial profit by illegally marketing the stolen information. Centralised identity puts at risk the privacy of users, the security of companies or service providers, and also has a poor user experience. Log in with Facebook (Identity 2.0) The previous model, in addition to being a nuisance for users (we must maintain as many identities as we register on the Internet), poses a privacy problem for users, and a problem for companies or digital service providers in terms of compliance with personal data protection regulations. Thus, the idea of delegating the processing of users' identities to specialised providers seems to make sense, we refer to it as Federated Identity. Most of us are already registered with Google or Facebook (to give an example), so why not use these identities to access other digital services or platforms? In the federation model, we create our identity once (e.g., we sign up for Facebook), and use it in our subsequent interactions on the Internet (e.g., to access Spotify). The advantage for users is obvious because of the convenience of the model, the problem is that we are giving too much power to these hyper-providers of identity solutions. In the example of Facebook, it knows exactly where we log on to the Internet, where from and when we log on, as well as keeping a record of our personal information, which it always shares with the third parties we log on to. Can we imagine what Facebook can do with all this information? Undoubtedly, make money, lots of money. In fact, thanks to this, Facebook offers companies and Internet platforms, free of charge, the possibility of using its federated identity solution. Federated identity improves the user experience, but still puts users' privacy at risk through uncontrolled monetisation of their personal data. ID Wallets (Identity 3.0) Identity wallets (ID Wallets) are the visible and user-friendly part of decentralised identity or self-sovereign identity models. These wallets are applications installed on users' mobile devices, capable of securely and privately storing all their personal information. In this way, users' personal data is only guarded by the users themselves. There is no central authority or hyper-identity provider controlling this personal data. This model has the advantage of federated identity; we only create a single identity (in this case in the ID Wallet), and it also solves the problem related to the privacy risk of users' personal data. In this way, the handling of identity-related information is returned to its rightful owners, the users, preventing unauthorised use of their personal data. As on the Web3, decentralised identity is based on blockchain technology, which is the technological layer that validates the authenticity of the personal and private information that is shared, thus enabling an ecosystem of trust between the parties involved and returning control of personal data and identity to the users. Decentralised identity based on blockchain and ID Wallets solves the privacy and power abuse problems of centralised platforms, while preserving the good user experience of federated schemes. Web3 and Decentralised Identity Assuming that the future of the Internet lies in redefining its architecture towards a decentralised model is perhaps at this stage (given the complexity of the task) still a bit risky. However, decentralised identity schemes are making good progress and could act as the tip of the iceberg or the spearhead of the Internet's evolution towards web3. In both cases (web3 and identity), the goal is the same; to foster more transparent, democratic, private and trustworthy information exchange schemes, without handing over our digital sovereignty to large Internet platforms.

Identity theft or impersonation is a type of fraud in which criminals manage to supplant the identity of the person being deceived, based on the theft of their personal information. In this particular case, the victim lost his national identity card, or perhaps it was stolen on purpose, but either way, it ended up in the hands of fraudsters. Identity theft based on a stolen ID card is a technique that is unfortunately on the rise, largely due to the fact that since the advent of COVID-19, most transactions have become digital and are carried out remotely. How to prevent phishing fraud The most effective suggestion and solution is to reduce the amount of personal information shared as much as possible. For example, in the case of requests to send a scanned ID card, do so by partially blocking out information that is not strictly necessary, such as the expiry date, the postal address, or our photograph. However, sometimes requests to send personal information go beyond the ID card and may ask for financial or tax data such as invoices, bank transactions or even tax returns. This type of request is common in banks to prevent money laundering, but it is also common for this personal data to be requested for procedures related to the evaluation of financial solvency, for example, by landlords in the case of rental housing. Can we refuse to share this type of personal information? The current law requires the recipient of such personal data to process such information in accordance with the European Data Protection Directive (GDPR), but the recipient is entitled to request it. In the case of fraudsters, they try to trick victims by posing as fake landlords, fake sellers, or even lenders. All of this is done to collect personal information that allows them to impersonate and gain access to credit, open bank accounts from which to launder money (through mule accounts) or make fraudulent purchases. Digital Identity Wallets to the rescue An " ID Wallet " is a cryptographic application that is installed on our mobile devices allowing us to store and share credentials related to our identity and its attributes. These applications allow us to verify our identity without sharing our ID card, or for example to validate our financial solvency without sharing invoices, bank transactions or tax returns. How do they work? By storing credentials linked to our identity that can be verified and validated by third parties. For example, we can store in the wallet our ID card along with our financial information issued by our bank. When a landlord asks us to prove that we live in Spain, that we are over 18 years of age and solvent, we can share our identity card (which is not the same as the DNI), together with the financial solvency card (which is not the tax return or bank details). In this way, we will be validating the conditions required by the landlord, without the need to share any personal data that could be manipulated or used without our consent. The underlying technology in this whole process is blockchain and ensures that the information stored in the wallet is accurate, and that the issuing authority is trustworthy. In this way the recipient of the information can validate its legitimacy. A not-so-distant future The European Union is already working on this type of solution and aims for all EU citizens to have access to this technology by 2024. In Spain, several initiatives are beginning to emerge, such as the Alicante ID project, which aims to create a local digital identity ecosystem, so that citizens, administrations and companies can exchange verifiable credentials stored in identity wallets. The aim of all these projects is to return control of personal data to those to whom it belongs, the users themselves. Privacy in the processing of personal information increases security and prevents online fraud.

Online fraud has experienced a significant growth since the early 2020s pandemic accelerated the digital transformation of businesses and citizens. This is evidenced by the latest report from the Spanish Anti-Fraud Association, in which 71% of respondents say that in recent months there have been more fraud attempts than last year, with customer identity fraud being the most recurrent in companies according to 58% of respondents What is customer identity fraud? The type of fraud whereby fraudsters use legitimate customer data to impersonate a customer, both at the time of opening an account or registering for a service (Onboarding), and at the time of accessing the account or previously contracted services (Authentication). Account Opening Fraud Attackers try to circumvent the identity and fraud prevention controls in the onboarding process by using stolen real identities, or synthetic/simulated identities that do not belong to any real citizen and are created by Artificial Intelligence. Account Takeover Fraud Attackers attempt to bypass identity and fraud prevention controls in the authentication process by stealing user credentials, essentially passwords exposed on the dark web as a result of the countless data breaches in recent years. How can companies prevent customer identity fraud? Incorporating Digital Onboarding (account opening) and Biometric Authentication (passwordless access) processes into their business and operational flows). Digital Onboarding mechanisms verify the real identity of a citizen who has no previous relationship with the company, by comparing their biometric facial features against the photograph of their national identity card (issued by an authorised or trusted source). Biometric Authentication mechanisms corroborate that the person trying to access a digital service corresponds to a previously registered user or customer whose real identity has been verified. To do so, they validate the identity of the user by comparing the biometric features presented at the time of access against the biometric pattern registered and stored at the time of registration/onboarding. Phases in the Digital Onboarding process Onboarding can be broken down into two main blocks: Identity Proofing techniques and Identity Affirmation techniques. The Identity Proofing process has the following phases or stages: Verification of the validity of the national identity document presented Through OCR (Optical Character Recognition) technology) Through NFC (Near-Field Communication) technology if the presented document and the device on which the Onboarding is performed support this technology Selfie capture and proof of life. Proof of life is about validating that the person who is Onboarding is a real person and not an impostor impersonating through stolen or synthetic identities. It is currently the most critical factor in the whole process. There are ISO/IEC 30107 industry certifications that accredit that a supplier complies with the necessary standards to carry out this process with guarantees. Biometric verification between the selfie and the photograph of the national identity card presented. NIST (National Institute of Standards and Technology) scores the effectiveness of biometric algorithms through its “Face Recognition Vendor Test”. Manual" checking of the process by specialised agents (only for use cases where compliance with anti-money laundering regulations is required) In addition to the Identity Proofing process, there are processes aimed at detecting fraud in Onboarding, which, as opposed to focusing on checking or validating the national identity document, carry out checks against other user data or parameters. These techniques are known as "Identity Affirmation Tools". Examples include: Checking the user's identity data (name, postal address, telephone number, date of birth) against official databases; census/electoral data, credit bureau or financial registers or databases. It is also possible to connect directly to state databases with the prior authorisation of the authorities (in Spain, the national police is the owner and responsible for the custody of the DNI databases). Checking the user's digital attributes; email, IP address, or social networks. For example, comparing the geolocation of the IP address against the postal address that appears on the ID card provided. Checking parameters of the user's device. The information collected about the operating system, the browser and its plug-ins, and about the hardware and its characteristics, is used to create what is known as a "Device Fingerprint". Behaviour-Analytics. Analysis of typing cadence, mouse movements, or the speed at which forms are filled in can indicate that the person behind the screen is not a real person but a robot trying to automate the process. Onboarding and Biometric Authentication Challenges Onboarding and Biometric Authentication mechanisms help prevent online fraud while improving the user/customer experience in their interaction with the identity and access management systems of digital platforms. Among the main challenges faced by the industry are issues related to privacy management and compliance with various data protection regulations. Biometric data are highly sensitive data that, unlike passwords, for example, which can be reset and changed as many times as you want, refer to physiological traits that are impossible to change.

Have you ever stopped to think about how many user accounts we have on the Internet? Bank accounts, utility providers, Social Networks, email, e-commerce, ... Nowadays we handle an almost infinite number of digital services. How many times did you have to repeat the same registration process? Do you remember what personal information you shared each time? Do you know what personal data is stored and processed by each of these services you are registered in? According to a Eurobarometer survey, 72% of users want to know how their data is processed when using digital services, and 63% of EU citizens want a single, secure digital ID for all online services. A new European model for digital citizen identity In this context, on June 3, 2021, the European Commission announced its new proposal for a secure and trusted digital identity. In the words of Ursula von der Leyen, President of the European Commission: «Whenever an app or a website asks us to create a new digital identity or to easily connect through a large platform, we really have no idea what happens to our data. This is why the Commission will propose a secure European e-identity. An identity that we trust and that every citizen can use everywhere in Europe for everything from paying taxes to renting a bicycle. A technology allowing us to control for ourselves what data is used and how it is used» From user accounts to sovereign identity wallets The EU has set out to regain sovereignty over our personal data and is working on the definition of the new digital identity model, based on identity wallets. A wallet is a cryptographic application that is installed on our mobile devices allowing us to store and share credentials related to our identity and its attributes. This new model is based on: The concept of sovereign/decentralised identity on blockchain Verifiable credential exchange standards Under this new paradigm, users go from having as many identities or user accounts as digital services we use, to a single identity that we carry on our mobiles, and that we share totally or partially (through the attributes of the identity) with the rest of the world. Binding Directive for EU countries The new regulation on electronic identification (eID) is part of the European regulatory scheme eIDAS (electronic IDentification, Authentication and trust Services), and will be mandatory for EU Member States, which by the end of 2023/beginning of 2024 at the latest, will have to provide their citizens with an identity wallet that will enable them to; Access public services and apply for e.g. a birth or medical certificate, or report a change of address. File your tax return Applying for a place at a public or private university in any EU member country Open a bank account Store a medical prescription that can be used anywhere in Europe Validate your age online/offline without having to share/show your national identity document Rent a car using a digital driving licence Check into a hotel Impact on the private sector This new regulation will also be mandatory for the private sector, in particular for those online services that need to implement "strong" authentication mechanisms. This includes sectors such as transport, energy, banking and financial services, insurance, health, telecommunications and education, as well as large online platforms such as Google, Apple, Facebook and Amazon. According to the European Commission, it is estimated that the implementation of this new identity model will benefit the private sector through: Reducing the operational costs of; identifying, authenticating and managing your users' personal data Reducing online fraud. Recovering digital sovereignty Decentralised/sovereign identity models have long been a hot topic in the identity framework. There was a consensus among experts on their usefulness and technical feasibility, but there was a lack of momentum to validate their economic viability, a lack of a use case to energise the ecosystem. Now it seems that this momentum has finally arrived via the EU. All in all, the horizon points to the fact that we are beginning to redefine identity as we know it to date, a new model of identity designed for people, in which attributes such as privacy and sovereignty over personal information are defined factors from its initial conception.