The “Privacy by Design” principle has been known for years and was the subject of the resolution adopted by the 32nd International Conference of Data Protection and Privacy Commissioners in 2010. The GDPR in Article 25 regulates the principle “Data protection by design and by default” perhaps better known as “Data protection by design and by default”. A premise is necessary. Confidentiality, “privacy”, in Europe is a fundamental right pursuant to Article 7 (Respect for private and family life) of the Charter of Fundamental Rights of the European Union which states:
Everyone has the right to respect for his or her private and family life, home and communications.
The formulation of the cited provision presents a very broad concept of privacy which, centered on the person, ranges from private and family life, to home and communications. The subsequent Article 8, paragraph 1, provides:
Everyone has the right to the protection of personal data concerning him or her.
It is evident that the two rights are completely different. In the United States, on the other hand, it is customary to present the issue in terms of “Data privacy and protection”, that is, confidentiality and protection of personal data. In essence, with the expression “data privacy” it seems that in the USA the object of confidentiality is narrowed - compared to Europe - remaining limited only to personal data. That said, the GDPR in Article 25 regulates data protection by design and by default. This is an important principle as its violation exposes the data controller to the sanction of Article 83, par. 4 (up to 10,000,000 euros). For more information on PbD or DPbDbD, please refer to my latest volume entitled “GDPR & privacy: awareness and opportunities. Reasoned analysis of personal data protection between ethics and cybersecurity”.
What is IRMA?
IRMA is a project of the Privacy by Design Foundation. On February 21, 2019, Prof. Jacobs presented the IRMA project at “The Royal Institution” in London.
Prof. Jacobs explained that the IRMA project focuses on electronic identity (eID) and, in particular, both on the opportunity for it to always be under the direct control of the data subject, and, at the same time, on the possibility for those who manage online platforms to be certain about the identity of those who intend to access them. The IRMA project is ambitious and is presented with the strength of being GDPR compliant and specifically in compliance with the principle indicated in Article 25.
Currently, access to some online platforms is allowed through “social login”, that is, through accounts of the main social networks (Facebook, Linkedin and Twitter). This method, beyond aspects related to the security of personal information, can also entail risks for user profiling.
In fact, when the user accesses an online platform using “social login” they authorize the social network (e.g. Facebook) to provide their personal information to the service they intend to use. The service provider will acquire information from the social network with which the user has allowed access.
The IRMA documentation describes the project in the following terms:
“IRMA is a set of software projects implementing the Idemix attribute-based credential scheme, allowing users to safely and securely authenticate themselves as privacy-preserving as the situation permits. Users receive digitally signed attributes from trusted issuer, storing them in their IRMA app, after which the user can selectively disclose attributes to others”
Essentially, as illustrated in the official project documentation, the flow that is used is as follows:
One of the most important aspects is the so-called electronic identity (eID), since those who offer the service need to identify the user who intends to access the online platform and sometimes verify their age. IRMA is open source software and the source code is available to anyone so that it is possible to evaluate what the processes are.
Another aspect, highlighted by Prof. Jacobs, concerns access to platforms that decide to adopt IRMA. If the user intends to access a platform that has joined the IRMA project and on which the related service has been implemented, instead of using social login, the same user can use the app from their smartphone to read a QR code generated by the same platform. In fact, through the app - an app has been developed for mobile devices for both Android and iOS - the user makes a request to the IRMA server which, according to the project documentation, assigns a random session token allowing the user to keep only on their device the data and personal information necessary to access the platforms.
The characteristic of leaving personal data on the user’s device and not transferring it to the platform that provides the service, according to Prof. Jacobs makes the project compliant with Article 25 of the GDPR.
This is an ambitious project that, however, requires the willingness of platform managers to adopt it. In Italy, as is known, there is the Public System of Digital Identity - SPID through which it is possible to “access all online services of the Public Administration with a single Digital Identity (username and password) usable from computer, tablet and smartphone”.
If SPID is reserved for PA, in the private sector it could be interesting to apply IRMA. I asked Prof. Jacobs if an implementation of the IRMA project on blockchain is planned, it could probably have added value.