FCT-9-2015: Law Enforcement Capabilities topic 5: Identity Management ARIES "reliAble euRopean Identity EcoSystem" D2.2– Socio ethical analysis and requirements Due date of deliverable: 30-11-2017 Actual submission date: 30-11-2017 Start date of project: 1 September 2016 Duration: 30 months Revision 1.0 Project co-funded by the European Commission within the EU Framework Programme for Research and Innovation HORIZON 2020 Dissemination Level PU = Public, fully open, e.g. web CO = Confidential, restricted under conditions set out in Model Grant Agreement CI = Classified, information as referred to in Commission Decision 2001/844/EC. Int = Internal Working Document D2.2 Socio ethical analysis and requirements D2.2 – Socio ethical analysis and requirements Editor Dave Fortune & Juliet Lodge, Saher Ltd Contributors Saher, SONAE , UMU Reviewers Atos, UMU 28-11-2017 Revision 1.0 The work described in this document has been conducted within the project ARIES, started in September 2016. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700085. The opinions expressed and arguments employed herein do not necessarily reflect the official views of the European Commission. Copyright by the ARIES Consortium. D2.2 Socio ethical analysis and requirements Document History Version Date Author(s) Description/Comments 0.1 21/10/2016 Saher Draft sections 0.2 19/11/2016 Saher Updates to GDPR 0.3 11/12/2016 Saher 0.4 02/01/2017 Saher 0.5 16/01/2017 Saher 0.6 21/01/2017 Saher Ethics Chap 2 updating & flow charts, Glossary, EIA review 0.7 22/01/2017 Saher ePrivacy, Single Digital Market update 0.8 23/01/2017 Sonae Barriers to eCommerce; focus groups 0.9 23/01/2017 Saher Barriers to eCommerce; focus group questions 0.10 24/01/2017 Saher VIS and Umbrella Agreement update 0.11 03/02/2017 Saher Updates and uploaded to repository / ethical advisor DSM 0.12 24/02/2017 Saher Societal acceptance model of IT update Vulnerability updating review, plus bibliog updating, airport 0.13 22/03/2017 Saher updating 0.14 27/03/2017 Saher eCom updating; official doc updating 0.15 10/04/2017 Saher eAirport EES updating 0.16 09/05/2017 Saher Baked in ethics by design update 0.17 29/05/2017 Saher Review post Murcia meeting 0.18 30/05/2017 Saher Revision re ~#4.2ff o.19 01/06/2017 Saher Revision #2.1 0.20 19/06/2017 Saher Revision 2.1 re LIBE on encryption/privacy 0.21 23/06/2017 saher Re biometrics and ethics after Ethical Advisor discussion 0.22 28/06/2017 Saher EDPS update 0.23 30/06/2017 Saher Stakeholder claims 0.24 7/7/2017 Saher update 0.25 9/7/2017 Saher Revision 0.26 17/7/2017 Saher editing 0.27 26/7/17 Saher update 0.28 30/7/17 Saher update 0.29 31/7/17 Saher revision 0.30 10/8/17 Saher update 0.31 26/8/17 Saher editing 0.32 3/9/17 Saher Claims and poll review 0.33 14/9/17 Saher Revision update legislation 0.34 30/9/17 Saher edit 0.35 7/10/2017 Saher Update post annual mtg, ethics advisor review, and pilots 0.36 10/10/2017 Saher editing 0.37 16/10/2017 Saher review 0.38 3/11/2017 Sonae eCommerce findings 0.39 6/11/2017 Sonae & Saher Joint review & update 0.40 6/11/2017 Saher Edit and dissemination Saher, Atos,UMU, 0.41 13/11/2017 Discussion, revision, update & review Sonae 0.42 27/11/2017 Saher & Sonae Final review 1.0 29/11/2017 Atos Format review Page 3 D2.2 Socio ethical analysis and requirements Executive Summary In developing a technically innovative eID, Aries seeks to move beyond the state of the art to incorporate ethical concerns into the development of an eID that citizens can trust, that is informed by adherence to ethical principles, and which is appropriate to meeting the challenges and ambitions of the digital single market. Ethics is a key to gaining public trust in the eID for multi-purpose use. The EU is keen to see the incorporation of ethics as first principle of technical design to ensure trust. Aries seeks to develop an eID that builds in ethical considerations from the start. The Aries eID rests on the premise that ethical concerns are ubiquitous but not uniform, have different roots and connotations in different societies and across time, and are not readily overcome by systems that rely on large data bases to check and manage identity claims. Aries seeks to find a means of allowing a genuine person to use an eID for all manner of transactions in ways that preserve his/her dignity, autonomy, privacy and security. The Aries eID solution is designed to be non- discriminatory and societally as neutral as possible (meaning, for example, that gaining such an eID does not depend on ability to pay for one, thereby meeting criteria on optimising inclusiveness). Aries develops a technical solution in the vID that is as neutral as possible and minimise the myriad discrepancies across states that arise from different societies; traditions and legacy systems and practices. Informed by an appreciation of tensions in society that may have inhibited eID take-up, and may still hinder its acceptance, Aries recognises that the Digital Single Market goal of once-only enrolment for egovernment has advantages and disadvantages. It outlines issues around automated cross-border information exchange and re-use and related questions. It reflects concerns over an enhanced digital divide; and the ethical concerns related to exaggerated claims for biometrics as well as citizen anxiety over biometric enrolment and sustainable biometric eID dependability. The Aries eID is developed in line with respecting fully existing EU law, standards and prospective requirements under the GDPR. Aries goes beyond the SoA technically with a view to showing that privacy and ETHICAL PRINCIPLES Pre-cautionary principle security can be advanced simultaneously rather than as a trade-off in a zero-sum Trust game. By providing a technical means to do this, issues around the acquisition of Dignity informed and explicit consent, compared to implicit consent (and the inferred Autonomy consent deduced from ticking T&Cs) is addressed and overcome. Self-determination Consent Equality As a result, many ethical problems are addressed by the technology. They are Inclusion not therefore dependent on compliance with rafts of national legislation which Non-discrimination may not be consistent, uniform or easily enforceable by the user of an eID. Purpose specification Purpose minimization Accountability Aries technical solutions seek to mitigate barriers to eID adoption which may Transparency have cultural or societal origins, and which are often conflated with enrolment Privacy process concerns (biometric template generation and storage) and privacy Security objections. Challenges arise as to the relative weight to be given to the right to Accessibility Necessity privacy (that some see as non-existent and redundant) and to the principle of autonomy, upon which the right to consent and the ‘right to be forgotten’ rest. Some barriers are generic. Page 4 D2.2 Socio ethical analysis and requirements Perhaps the biggest ethical concerns arise not from the eID itself but from subsequent unknowable re-use of information from which it is derived. Can such information be mined, re-configured in full or part, sold or used to make inferences about behavior and transactions. Can it be re-used and linked without the live and explicit consent of the live person to whom it relates and whom it identifies? Aries is aware that information collected for one purpose may not only be re-purposed but used to re-categorize citizens for all manner of purposes, whether tracking for commerce, surveillance, social trends, behaviour or re-selling partial slabs of information. The Aries eID departs from such categorization to create an eID that is a neutral as possible. Aries eID, in seeking to be as neutral as feasible, seeks to use technology to safeguard individual privacy and security against intrusion using algorithms informed by ethical reflection. The Aries eID is a token of the real human. Part of it may be accessed for limited, specific purposes (e.g. to confirm age without revealing date of birth: this person is over 18). Aries recognises the potential of biometrics to provide additional information about an individual claiming to be the person with whom eID is to be matched. It has taken into account different laws relating to the enrolment and storage and use of different biometrics by different states (eg common biometrics like face, palm, voice, iris, gait and fingerprints). It is aware that the EU’s definition of biometric differs from that of the USA. It is aware that video analytics, making use of biometrics, is growing. It is aware that mutual recognition of roles, entitling specified persons to access specified pieces of information, is a complicated process and is not fool-proof. The continuing growth in the development of technologies to mask aspects of biometric identities, in the name of purpose limitation, data minimization and preventing mission and function creep, poses additional challenges. Society may be inclined to adopt steps that inhibit biometric recognition (such as masks). Aries tackles the problem of generating and maintaining trust in the eID by focusing on purpose limitation and data minimization to generate trust by leaving the disclosure of eID fields in the hands of the individual to whom the eID token relates. It draws on feedback from Aries’ interviews with citizens and focus groups to provide a benchmark for citizen perceptions to inform the development of the eID and recommendations regarding an Ethical Impact Assessment.