PID set: Potential issue with uniqueness in mandatory attribute set

[jantdm]

Description

In section 5.1.1.1 one of the principles states "No two persons SHALL have the same PID set of values for mandatory attributes." Based on the mandatory set of attributes as specified in 5.1.1.2 the combination of family and given name with birth date will lead to a very small but still non-zero number of cases with persons having the same PID set of values in a population of 450m.

(Using given_names (plural) instead or adding this in the mandatory set could reduce the chances, but not to zero.)
Edit: Just realized that the PID rulebook already specifies given_name as plural "name(s)".

Are these edge cases accepted or is this something where the spec would need to be adapted/extended?

I'm just getting into the process so apologies if this is not relevant here.

[ivanek666]

There are several cases of tuples Name, Surname and Date of birth just in Czech Republic according to state data https://archi.gov.cz/en:nap:iseo

This principle cannot be achieved.

[jantdm]

There are several cases of tuples Name, Surname and Date of birth just in Czech Republic according to state data https://archi.gov.cz/en:nap:iseo

This principle cannot be achieved.

Very interesting, thank you for posting. I was quickly looking for something like this but mostly found news articles of examples and theoretical statistics. This is a perfect empirical example.

So the issue is much more significant, 25 000 people that could not uniquely be identified for the Czech Republic alone.

[jantdm]

Following up on this, a unique identifier was part of the mandatory data set in the ARF up until the changes introduced with issue #67. Is there a reasoning available for the removal of the respective line?

2015/1501 (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015R1501) which was referenced before as a source for the requirement also still references the need for a unique identifier.

[aniltj]

I was quickly looking for something like this but mostly found news articles of examples and theoretical statistics

Back in 2013, The ANSI/NASPO Identity Proofing and Verification (IDPV) Standard Development Project conducted a study that identified sets of core identity attributes across the dimensions of Name, Location, Time and Identifier that in most cases, allows for resolution to a single identity. It also provides a list of supplemental attributes that can be used to prevent collisions in cases where the core attributes are not enough.

The basis of these core and supplemental attributes were not theoretical, but based on extensive data modeling and analysis done on data sets that covered the U.S. population.

In selecting a particular set, the project recommended that the following factors be used to choose one particular attribute over another:

1. EFFECTIVENESS: How EFFECTIVE is the attribute at distinguishing an identity?
2. SENSITIVITY: Is the person SENSITIVE about the data attribute? Is the individual concerned that providing the requested information may make them vulnerable to harm?
3. ACCESSIBILITY: Can the enroller verify the attribute? Does the enroller have ACCESS to resources that have details about the attribute?
4. PERMANENCE: Is this attribute stable over time?
5. UNAVOIDABILITY: Is the attribute something that is required to be collected as part of a business processes or for other reasons?

While the data used was US specific, the approach looks to be relevant to this discussion on a way to think about choosing a combination of attributes to achieve identity resolution. I wrote up, back in the day, an overview of the study and its results..

Needless to say, the study proves that even with selective disclosure and non-correlatable signatures, if the business process of the Verifier requires identity resolution, non-technical means that clearly articulate the life-cycle of the data collected will need to be put into place to ensure the privacy of the data shared with the Verifier.

[sander]

Note that the PID Rule Book v1.0.0 also mandates inclusion of issuance_data, expiry_date, issuing_authority, and issuing_country attributes. Altogether, it should be easy to provide unique PID for natural persons with the current text.

The unique identifier from (EU) 2015/1501 does not easily solve identity matching or resolution resolution. My eIDAS unique identifier in one member state will be different from my eIDAS unique identifier in another member state. In practice, service providers will still require additional attributes to resolve PID to a known or new subscriber.

The EU Digital Identity regulation article 11a requires member states to ensure unequivocal identity matching for natural persons using notified eID means or the Wallet. It does not require all Wallet solutions or all PID to completely solve (cross-border) identity matching. This, as well as the removal of the unique identifier from the PID mandatory attributes, seems appropriate to me.

For example, in the Netherlands we have a polymorphic pseudonym service provided by the government (BSNk), which could be extended to support the EU Digital Identity ecosystem at least for natural persons registered in the Dutch authentic source (BRP). This could simply be done using additional attestations outside of PID, and such a solution does not require PID to contain cross-border unique identification data.

Trust service providers in the private sector also have experience implementing identity resolution capabilities that relying parties can choose to use. Providing cross-border uniqueness in PID could disrupt this market.