Persistent User Identification with eIDs

Digital platforms and services rely on persistent user identification to consistently recognize their users across multiple interactions. Persistent user identification relies on associating the user's identity within the application's domain with a unique identifier that remains constant over time. Implementing it correctly is essential to not only create an optimal user experience but also to ensure compliance with the European GDPR regulations.

In this blog post, we discuss how claims issued by eID providers can be used to implement persistent user identification in third-party applications. We suggest specific claims that can be used for this purpose and highlight the advantages of employing permanent pseudonymous identifiers as an alternative to the standard national social security numbers. We use the Danish MitID and the Norwegian BankID as examples.

Understanding anonymous vs. pseudonymous data 

Pseudonymization and anonymization are the two techniques used to mitigate data protection risks when processing personal data. They are often referenced within the context of the GDPR.

Anonymization involves removing personal identifiers from the data in a way that makes it impossible to link the data back to an identifiable individual. In terms of data protection and privacy, anonymization renders personal data non-personal. Non-personal–or anonymous–data does not fall within the scope of GDPR.

One example of anonymous data could be an aggregated dataset that provides the average speed of vehicles on a specific road without any personal identifying information.

Pseudonymization, on the other hand, is a transformation that makes personal data unidentifiable to a specific individual without additional information. This technique usually involves replacing directly identifying information such as name, social security number, or date of birth with a pseudonym: a value that does not directly reveal the individual's identity. 

An example of pseudonymous data is a person's driving record with their name and license number being replaced by a unique identifier.

In summary, pseudonymization makes personal data unidentifiable unless supplementary information is available, whereas anonymization entirely prevents re-identification.

Despite pseudonymous data still being classified as personal data under the European GDPR law, the GDPR recognizes pseudonymization as an appropriate data protection safeguard that reduces the risk of personal data misuse. Thus, when personal data processing is required, pseudonymous identifiers are preferable to directly identifying information.

Using eID providers’ claims for user identification

When a user logs into an application with their national eID, the application receives claims issued by the eID provider. These claims contain information about the user's identity, such as their social security number, date of birth, name, and other personal details. 

The JWT claims issued by Criipto Verify can be seen in the examples below.

Once the application receives those claims, it can extract the user information from them and utilize it for authenticating the user, determining access permissions, and customizing the user experience. 

Example: Danish MitID JWT Token content:

{
    "identityscheme": "dkmitid",
    "nameidentifier": "0f9960a0d28d4353a3e2ea07f8ffa185",
    "sub": "{0f9960a0-d28d-4353-a3e2-ea07f8ffa185}",
    "uuid": "74ffcd31-fbaf-4c33-bdac-169f25c1e416",
    "cprNumberIdentifier": "2101270087",
    "birthdate": "1927-01-21",
    "age": "93",
    "name": "Severin Poulsen",
    "country": "DK"
}

Example: Norwegian BankID JWT Token content:

{
    "identityscheme": "nobankid-oidc",
    "nameidentifier": "ee9b1bb905a6458e9f3b9d068f1a3765",
    "sub": "{ee9b1bb9-05a6-458e-9f3b-9d068f1a3765}",
    "uniqueuserid": "9578-6000-4-351726",
    "birthdate": "1946-03-27",
    "socialno": "27034698436",
    "family_name": "Olsen",
    "given_name": "Ole",
    "name": "Ole Olsen",
    "country": "NO"
}

Selecting user identifiers 

Any application that incorporates user logins will typically store user profiles in a database, where each user is associated with a unique and persistent ID. With eID logins, using the claim received from an eID provider as this persistent ID is a viable option. 

But which claim should we choose?

The Danish CPR number (cprNumberIdentifier) and the Norwegian Social Security Number (socialno) may seem like good options at first glance. However, it’s worth considering the following:

  1. Social security numbers can be used to directly identify a person. These identifiers are not pseudonymous, which invites additional GDPR concerns. 
  2. These numbers may change in certain situations.

Fortunately, most eIDs provide pseudonymous values that can be associated with users' identities and are persistent throughout the lifespan of an eID.

  • For the Danish MitID, the uuid claim serves as a persistent pseudonym that uniquely identifies individuals. It is the Danish MitID Person-ID used by authorities to identify citizens and employees.

  • With the Norwegian BankID, the bankid_altsub value identifies the legal person. In Criipto claims, bankid_altsub is available as uniqueuserid.

bankid_altsub and uuid are market-specific but broker-agnostic permanent pseudonymous person identifiers. These values will remain constant even if the SSN/CPR number changes and are not considered to be sensitive data.

  • Additionally, Criipto provides a sub claim that is based on persistent pseudonymous values provided by an eID (such as uuid and bankid_altsub). It uniquely identifies an eID user per Criipto Verify tenant. This claim serves as a good alternative to SSN/CPR numbers when using Criipto as an eID provider. 

sub, on the other hand, is a market-agnostic but broker-specific permanent pseudonymous person identifier.

Since most eIDs offer pseudonymous values that are also more robust than the national CPR and SSN numbers, we recommend opting for those identifiers or using a Criipto-specific sub claim as a user identifier in your application. 

Conclusion

It is important to emphasize that even pseudonymous data can potentially be used to re-identify the individual if combined with other information. Therefore, organizations must prioritize implementing robust data protection measures when processing any form of personal data.

However, when it comes to utilizing claims from eID providers for persistent user identification, developers should opt for pseudonymous identifiers rather than directly identifying social security numbers. This approach helps mitigate data protection risks and ensure compliance with GDPR regulations.  

Have questions? Don't hesitate to contact our support team via Slack or email.

Author
Our blog

Latest blog posts

The latest industry news, interviews, technologies, and resources.

BankID BankAxept Acquires Criipto

We’re pleased to announce BankID BankAxept as the new owner of Criipto!

The Nordic market leader from Norway is acquiring Criipto to create a...

Zero-Knowledge Proofs: A Beginner's Guide

Zero-Knowledge Proofs (ZKPs) are powerful cryptographic tools with a wide range of practical applications.

In this article, we’ll provide a simple...

View all posts

Sign up for our blog

Stay up to date on industry news and insights