[Interview] Gregory Kuhlmey, IDEMIA: Biometrics in Digital Identity Wallet
The EU is going all in on its Digital Identity Wallet program. A project that is a source of both hope and worry. Digital Identity Wallet advances, protection privacy, international examples, the role of biometrics, the ethics of algorithms… Gregory Kuhlmey, IDEMIA’s Digital Identity Program Manager, tells us all about this digital door opener and biometrics, a building block of the plan. Interview.
Gregory Kuhlmey, can you tell us about yourself?
I’m a member of the digital identity team within the PSI division, which provides governments with physical and digital identification systems. Since the digital ecosystem is both public and private, we also service companies that need a level of insurance fixed in government systems. Within the team, I take care of strategic projects, including the Digital Identity Wallet.
In what ways are biometrics a crucial piece of the digital identity puzzle?
Biometrics play a role at two crucial stages: when opening the Digital Identity Wallet, they guarantee its creator is the right person through biometric verifications, including a face-to-face interview. But the Digital Identity Wallet is also designed to be used online. When it is being used, biometric verifications ensure the right person, and not a robot, is handling the Digital Identity Wallet.
How does this happen?
We compare biometric data collected by the user’s device to a reference database. The latter must be reliable, and constitute what we call the root of trust. Once this crucial step is completed, we can open up digital identity to much wider uses, since we can always go back to this root of trust.
IDEMIA is a historical partner of States in creating this root of trust, whether in the form of a physical document with a reference stored in a chip or with the same information stored in centralized databases, which can be accessed for the initial verification.
Biometrics are a crucial element in creating and using the Digital Identity Wallet. They are a means of securing identity, but eventually also a driver’s license, medical information or payment data.
As it happens, digital identity is making progress with the EU Digital Identity Wallet. What is IDEMIA’s stance on the issue?
This project is going to kickstart the use of digital identity in Europe and we are very pleased with the EU’s approach, which is centered around protecting citizens’ privacy. IDEMIA is closely following this program and contributing to it. We are committed to bodies like the French Alliance for Digital Trust (Alliance pour la confiance numérique, or ACN), which represent the industry before European institutions.
How is this project being built?
The EU is currently choosing standards and technical tools. The stance manufacturers take will depend on each State’s requirements, but what is sure is that they will be interoperable. The EU’s project is based on best practice by private and public players, including IDEMIA’s in India, the UK, the United States etc.
Although the framework and regulations will come from Brussels, implementation will take place on a national level. We will be able to support States, armed with feedback from the field: we have already released 1.5 million Digital Identity Wallet in the United States, South America and the Nordic countries.
Are such projects a danger to privacy?
The European program avoids this pitfall, as it is centered around citizens’ consent every step of the way. The Digital Identity Wallet is based on your old leather wallet. The user keeps his private data on his person, and knows who he shows it to and in which context. However the Digital Identity Wallet takes it a step further: it monitors the use of his personal information. The data is only shared for a given transaction and no copies are made without the user’s knowledge.
The sharing is clever, and shows only information that is useful to a specific process: for example, if you have to prove you are over 18 years of age, you don’t have to share your name or your address, which is not the case with a physical ID card.
An opaque use of data, a Chinese-style social credit system, many fears remain…
The European process is very different from the American approach, which delegates digital identity management to Big Tech, raising issues on the use of personal data.
It is also opposed to the centralized Chinese method and its widespread policing of citizens. By design, the European Digital Identity Wallet prevents Big Brother-type drifts: the various databases are not interconnected, as opposed to what is going on in China. In Europe the only point of contact between databases is in the user’s device. There are no backend interconnections between systems that could then crosscheck data. The architecture itself of the wallet shields us from these potential drifts.
A decentralized approach is therefore key…
Indeed, this is what we recommend, and this is the path the EU has chosen. In modern-day ID cards, the chip contains data that identifies the cardholder. To create the wallet, we just need to access the chip, and not a centralized database. The same goes for opening the digital identity in the ecosystem: this is the “identity on the edge” concept. The data is stored on the device, thus there is no possibility of a scalable cyberattack on any given database.
Are there other safeguards?
The key is to rely on independent authorities that regulate and monitor uses. In France we have the CNIL (data protection authority), with equivalent bodies in each European country, which guarantee an ethical use of digital identity systems.
In addition, products must be certified in terms of security, in order to be sure the data isn’t leaked. To guarantee this, solutions are audited by ethical hackers. Reassuring the public in this manner is key to a proper rollout of these solutions.
One of the first European countries to implement widespread digital identity was Ukraine. What lessons can we learn from this experience?
The Ukrainian experience has shown the importance of digital identity on a day-to-day basis. Kiev has equipped citizens with an identity that allows them to exist and exercise their rights wherever they may be; it really is incredible! However, the European project is more ambitious, as it is interoperable and must function on and offline, as opposed to the Ukrainian wallet. That being said, Ukraine is part of the countries that will take part in European Digital Identity Wallet pilot project, which will kick off next year. To this end, we will take this experience into account.
IDEMIA insists on the equity of its algorithms. Can you clarify this concept?
This is about ensuring biometric algorithms treat each individual in the same manner, with no bias as to age, gender or ethnicity. Everyone must benefit from the same level of performance and precision in the processing of their biometric data.
This is a complex issue, since our algorithms run on machine learning: they are tested with learning bases, but the latter can be biased. For example, students may be an overrepresented category, or darker skin tones may be less distinguishable. This is why we remain very mindful of representation in our learning bases, in terms of age, gender and ethnicity.
We make sure our algorithms are fair through independent benchmarking. Thus we regularly submit them to the American National Institute of Standards and Technology. If the algorithm did not perform as well for certain segments of the population, the people affected would be marginalized from society, which is digitalizing.
The digital responsibility of companies is becoming a major concern. Is fairness in algorithms a part of this process?
An identity for all is our responsibility. Indeed, a billion people on Earth do not have an official identity, which is essential to living in a fair and inclusive society, where everyone can exercise their rights. In order to raise awareness about the importance of this issue, we took part in International Identity Day, which was held on September 16.
- Digital identity & KYC
- Cyber industrial safety
- Security and Stability in Cyberspace
- Cyber risks
- Operational security
- Antifraud action
- Digital Sovereignty
- Digital transition