Cross border e-Identification

22 Jun 2022 14:45h - 15:45h

Event report

The session debated the theoretical and practical challenges for cross-border data exchanges and the criteria under which governments should have access to personal data held by the private sector in case of criminal activities. Ms Regina Filipová Fuchsová (Industry Relations Manager at EURid, the .eu) moderated the discussion and opened the session by making reference to the Study on Domain Name System (DNS) abuse of the EU.

The discussion first looked at the challenges of cross-border data exchanges in case of criminal activities and then presented a few practical methods of identity verification applied in the Czech Republic and by the EU.

Ms Marjorie Buchser (Chatham House) referred to the newly-launched project by Chatham House on cross‑border data transfers in the context of law enforcement in national security. She noted that cross‑border data requests have become a critical and essential aspect of criminal investigations in Europe today, as more than half of all investigations include cross‑border data requests. Since the use of digital technology is so widespread, law enforcement authorities in Europe often need to request data regarding criminal activities from private companies located outside Europe (e.g., from Google, Facebook, and Microsoft). She then considered a few existing barriers to cross-border data flows. First, the existence of an outdated legal framework and the persisting principle of territoriality impedes effective data flows. The current legal framework that governs cross‑border data transfers is still deeply rooted in the concept of nation-state and territorial boundaries. Therefore, in the case of such requests, the legal framework of reference is the one effective where the data is stored, which is often where private companies have their headquarters.  Second, we often look at cross-border data flows from law enforcement and national security angles. The problem with this is that imperatives from these two angles are often blurred. In the current legal framework, intelligent services essentially face much less regulation and oversight and often end up being exempt from it.  

Ms Georgia Osborn (Oxford Information Labs) illustrated the practical challenges faced by law enforcement agencies when requesting data from private companies. On the government side, one challenge is to have a clear contact point who knows how to request data from different companies. Currently, different authorities may have different procedures as well as different contact points in charge of requesting data from different and numerous technical companies. This increases confusion. On the private company side, these processes may be streamlined, but it is still not consolidated into one precise method. Echoing the remarks by the previous speaker, Osborn also stated that the heterogeneity of the existing legal framework makes it difficult for private companies (especially smaller ones) to develop an effective and streamlined process when dealing with such requests. Finally, in regard to privacy protection concerns, it is difficult to get all the relevant stakeholders together as privacy groups or law enforcement agencies are seldom at the same table discussing these issues. 

Mr Jaromír Talíř (CZ.NIC) explained that although registrant verification is not a topic of direct relevance for Top Level Domains (TLDs), a link has become evident between non-verified registrants and cybercrime activities and Domain Names System (DNS) abuse. He then considered more specifically the case of digital identity as a good opportunity for registries and registrars to be verified. With reference to the EU study mentioned above, he mentioned the eIDAS regulation (an EU regulation on electronic identification) as a great tool that could be used for verifying registrants. However, some challenges still remain in reference to accessing eIDAS notes, which is mostly limited to public services and not to the private sector. Moreover, eIDAS allows for verification of individual identities and not that of companies.  In addition, a lack of identification data in the eIDAS Networks makes it difficult to match identities from the service provider side.  

Mr Hans Seeuws (External Relations Manager EURid) illustrated a few verification criteria used to keep track of who owns a domain name. One of them is an eligibility criterion that requires the registrant to be an EU citizen or resident or a legal entity within the European Economic zone. Another is a contractual requirement to report to the European Commission, with the need to verify the validity of a domain name application. The requirement says that the TLD registries will need policies and registries in place to ensure that the databases include accurate and complete information. On the storage of information, he specified that EURid only stores name, a company name if applicable, address, phone number, e-mail address, and technical information. He added that in order to streamline the verification process, EURid is looking at alternative verification methods such as validation via mobile phone or via online payment or bank transfer to a European bank. He concluded by considering further disadvantages of these methods such as the difference between verification and validation, the verification costs, and the expiration of the verified data.  

By Marco Lotti