<aside> 💡

DPI wants to become a constant companion for daily interactions. Without unobservability, these daily interactions could become surveilled by whoever operates the DPI.

</aside>

Unobservability protects the specific user behavior by preventing a third party from gaining knowledge about any particular transaction.

Unobservability can be achieved in various ways. The strongest approach is when the technical architecture prevents that a third party can even obtain information about user transactions. This could be achieved when the user and the relying party communicate directly with each other, without any third party (like a government server) being involved in the transaction. Many decentralised digital identity or offline verification solutions offer this technical type of protection.

The weakest approach to achieve unobservability is by regulatory or administrative means. This is usually the case in centralized systems where the user has to involve a server to execute the transaction. This server typically knows which user is attempting to interact with which relying party and often also has access to the content of the transaction. With such an architecture, we can only rely on laws or government assurances not to collect this type of information.

Once information about specific user behaviour is accessible at a central point in the DPI, it is likely to be retained and used for other purposes. Very often the reasons might be ‘enhancement of the service’, ‘training of AI’ and –while not always said out loud– ‘national security interests.

Since such data offers enormous control over large parts of the population and also has a significant market value, it is very hard to trust any type of assurances besides the concrete technical architecture that makes it impossible for the data to be obtained in the first place.

Another term used for this principle is “Double Blind Exchanges,” where neither party involved in a transaction knows the other party’s identity or specific details about their involvement. The concept of unobservability is sometimes summarised under the term “unlinkability.”

Acceptable Exceptions

There are conditions when it becomes acceptable to hand over the transaction history for a user. For example, when they choose to make a backup of their device to a cloud or transfer their own data to another device. Involving a server in the transaction may be acceptable when the user places trust in that server.

<aside> 📌

The solid protocol of Sir Tim Berners Lee offers a very interesting approach to digital identity and personal information. Alternatively to other models personal information is not stored by private companies or governments, but by the users themselves.

https://www.youtube.com/watch?v=qWVTjMsv7AE

</aside>

Examples of this Safeguard enshrined in Law

<aside> <img src="/icons/gavel_blue.svg" alt="/icons/gavel_blue.svg" width="40px" />

• COVID-19 Digital Certificates
• DPI of the EU for Identification and Data Exchange (eIDAS)
• Age Verification for Online Services in the EU </aside>

<aside> <img src="/icons/currency-coin_green.svg" alt="/icons/currency-coin_green.svg" width="40px" />

International statement of NGOs calling for unobservability “No Phone Home”.

</aside>

What to Ask as a CSO

<aside> <img src="/icons/megaphone_red.svg" alt="/icons/megaphone_red.svg" width="40px" />

• Are personal information and identity keys stored in a decentralised manner on the user’s device, or are they held within a central infrastructure managed by the government or a vendor?
• Can a third party observe concrete user behaviour?
• Are there centralised log files retained that provide information about concrete user behavior?
• Does the legal framework or privacy policy permit the use of data for other purposes?
• Can users see who has accessed their data, and is this record complete?
• Are components of the DPI in other countries or under the control of foreign vendors? </aside>