An Identifier is a piece of data that uniquely identifies an individual. This could be a national ID number, social security number or mobile phone number. Biometric information can also be seen as an identifier.
<aside> 💡
Identifiers and biometric information are central to the design and deployment of DPI. Identifiers are highly sensitive, as they link a person to a specific and often permanent identity.
</aside>
Integrating identifiers and biometric data into DPI offers efficiency and security benefits but also introduces significant privacy and human rights risks. A central concern is that once such data are collected and linked to an individual, they can easily be used as tools for surveillance, exclusion, discrimination, or repression. Unlike passwords, biometric traits cannot be changed; if leaked or misused, the harm to individuals is permanent.
Identifiers can act as serial numbers for people, automatically identifying them in various situations.
<aside> 💡
The reason we care about identifiers is linking. A good definition comes from the Linddun privacy thread model:
”Learning more about an individual or a group by associating data items or user actions. Linking may lead to unwanted privacy implications, even if it does not reveal one’s identity. Linking refers to any act of associating different data elements to each other (incl. metadata) in such a way that it leads to undesirable privacy implications. This means that the combination of related data items will reveal (additional) information about a data subject (or groups of data subjects). By matching several data items based on recurring attributes or properties, a user profile (or group profile) can be built. Simply put, linking means learning more about an individual (or a group) by matching related data items together. Linking typically relies on a recurring identifier, a combination of attributes (quasi-identifiers) or profile that allows data to be singled out. This means that one can be confident it all belongs to the same individual (without necessarily revealing the individual’s identity). In addition, linking can also be applied to data of several individuals by matching similar properties in order to learn additional information about the group as a whole.”
</aside>
<aside> 📌
A DPI that relies on a identifier in all transactions exposes users to a high risk of tracking and profiling.
</aside>
The laziest and most dangerous DPIs rely solely on a unique persistent identifier for every transaction. This attribute uniquely represents one person throughout their life. You can think of it as a serial number for a person.
In every interaction where this number is used, it can be traced back to the individual. Even when such an identifier is not used outside of the public sector, it remains relatively easy for the government to combine all information about one person into a panopticon view.
Such identifiers should be limited to interactions with the government or companies that are legally required to identify their customers, such as banks.
A minor improvement is to use different identifiers for different sectors. For example, if the health, education or justice sector all have different identifiers for the same person. Such a system can be privacy-preserving, as it intentionally makes it harder for individuals in one public sector to access information from another. Austria has been using this system since 2004.
Outside of the public sector, this type of identifiers can easily be abused. An online or social media identifier would enable Big Tech companies to track individuals across platforms.
The Pairwise Pseudonymous Identifier is specific for each relying party but remains unique across interactions with the same relying party. This method allows to recognize the user and for example log them back into their account, but it prevents the tracking of interactions across relying parties.
This offers the right level of identification for most, if not all, use cases involving authentication and identification.
When an interaction is unlinkable, there is really no way for the relying party to correlate this transaction back to the same user. Unlinkability protects users interactions from being tracked, as neither the content of the transaction nor the metadata provide information that would link back to that individual. Of course, if a user chooses to identify themselves with their full name, date of birth and address, this transaction can not be unlinkable. But if a user simply purchases a train ticket or proves their vaccination status, unlinkability is a privacy-respecting way to carry out that interaction.