Vester AllĂŠ 24, 3.sal 8000 Aarhus C +45 86 370 400 info@cfdp.dk www.cfdp.dk
Aarhus February 23th, 2011 On the 18 of Feb. 2011, the European Commision asked stakeholders about a joint European Digital Signature. Centre for Digital Youth Care answered - both on what services we use and could use, and how we believe kids and vulnerable youth should be protected and can be best helped by a digital signature solution.
Question 1: Do you / Does your organisation use e-signatures, e-identification and eauthentication? Current e-authentication schemes do not support the functionality we need, despite the fact that such functionality has been wholy within the reach of our technological capabilities for many years. We are an online counselling service, and the anonymity of our users is paramount - our counselling works because of the inherent safety of the familiar chat interface, and basic anonymity of exchanging only short texts messages (over a third-party server to enable hiding our user's IP address). Still, we would like to ascertain some details about our users. Knowing a user's age and gender would be a great help in a counselling situation, and invaluable to our statistics - both for internal formative impact assessment, but especially when documenting our work. Such a solution necessitates an electronic authentication service which allows not only identification, but verification! We do not need, and indeed do not want, to know the user's identity - we need to know for a fact that they are the age they say they are. This is not possible using current electronic authentication services. The recent Danish endeavour, NemID, failed to provide this functionality.
Question 2: For what online transactions do you consider electronic identification, authentication and signatures useful in coming years? All the above transaction types are relevant, but in our work, we are in need of verification instead of identification. As stated above, we would like to ascertain some details about our users. Knowing a user's age and gender would be a great help in a counselling situation, and invaluable to our statistics - both for internal formative impact assessment, but especially when documenting our work. Such a solution necessitates an electronic authentication service which allows not only identification, but verification! We do not need, and indeed do not want, to know the user's identity - we need to know for a fact that they are the age they say they are.
CfDP - Centre for Digital Youth Care is a socioeconomic company, which aims to ensure digital safety and well-being for children and young people.
Vester AllĂŠ 24, 3.sal 8000 Aarhus C +45 86 370 400 info@cfdp.dk www.cfdp.dk
Aarhus February 23th, 2011 The advantages of verification-centric authentication services are obvious in many areas, and the functionality is an absolute necessity in enabling privacy. If every service we interact with is able to identify us individually, simple systems already in use can aggregate, mine and extract data far beyond what an individual has provided, or expects to be discoverable. Vulnerable kids and young persons cannot be expected to fight for their privacy, or understand the implications of technological solutions. We believe parents, youth care workers and professionals should fight for them, and demand that all technologies that allow surveillance and intrusion of privacy should be opt-in, and never opt-out. The types of online transaction that will be most useful - not in an instrumental sense, but what is intrisically useful for end users and society - are the transactions that allow as little as possible intrusion and the best privacy protection for the user. When designing a system for all of Europe, we should remember first not to do harm.
Question 4: Would a stronger involvement of financial institutions in the provision of trusted esignature and e-identification services have an impact on the take-up of e-signature and eidentification in other sectors? If yes, what would be the appropriate incentives? Mobile banking. A service that everyone would feel was a new and useful feature. For mobile banking to work, a platform-independent authentication service is needed. Smartphones could handle everything with an app, while 'dumbphones' could use a seperate card of preprinted call-response codes, to use with texting. There would be little incentive for the banks, though, and the service might possible have to be predicated on a demand that banks have to comply with a set protocol. It is, not only in this case, imperative to differentiate between protocols and service provider!
Question 15: Should "electronic consent" be recognised formally by future European legislation?Information Liability for the end user should be predicated on continued use. The desired legal ramifications presumed by licensors, and the assumptions made by end user licensees, when using current clickthrough acceptance is wildly at odds. Enabling click-throughs and similar simple usage to have full legal ramifications, would catch most user completely unaware of the consequences of their actions a problem, to put it mildly, in contract law.
CfDP - Centre for Digital Youth Care is a socioeconomic company, which aims to ensure digital safety and well-being for children and young people.
Vester AllĂŠ 24, 3.sal 8000 Aarhus C +45 86 370 400 info@cfdp.dk www.cfdp.dk
Aarhus February 23th, 2011 For the end users we at Centre for Digital Youth Care would like to protect, changes to electronic consent legislation has important consequences in at least two areas: 1) The vulnerable kids, young persons (and to a large extend other, if not most users) could far too easily sign up for services with far-reaching economic, legal or privacy-related consequences. To protect this target group, especially those without a family to support and guide potentially lifechanging decisions, we recommend that any 'click to accept' has no legal, or technological, consequences that are not reversible. This means that if a young person discovers some consequence of their previous acceptance, such as a social networking service's right to use her data, or that they have entered some legal obligation, those transfers of rights and obligations are only valid for as long as that person still uses the service. Opting out could be done by deleting the profile, or simple failure to use the service for a set period of time and not answering a number of warning emails. Some consequences are obviously not reversible, such as entering a site into a search index; but continued use and mining of personal data can be turned off just as easily as they were turned on. 2) For the social workers around vulnerable kids and young, click-through and it's unforeseeable consequences for them as legally responsible professionals and organisations have a decidedly chilling effect. If obligations and legal repercussions are not outright ignored, a given service is likely to become completely prohibited for the young persons in question. As a consequence, common platforms and useful programs and services for interacting with their government, civil society and friends are either totally denied these youngsters most in need of integration in society, or their use becomes a secretive affair undertaken without proper guidance. If opting out became easy, for instance when leaving a legal guardianship, organisations and youth workers would have only positive incentives for letting young people use and learn about the services their and their peers enjoy.
Question 27: Europe is fully part of the global economy. However, the forthcoming legal framework cannot cover non EU countries. Are there nevertheless international issues that should be taken into account? Yes. A federated approach, where the EU provides an extendible protocol and legal implications for it's use, would make the best possible case for future collaboration with other countries.
CfDP - Centre for Digital Youth Care is a socioeconomic company, which aims to ensure digital safety and well-being for children and young people.