Vittorio Bertola (17/12/2021). Open Identity. In Belli, L.; Zingales, N. & Curzi, Y. (Eds.), Glossary of Platform Law and Policy Terms (online). FGV Direito Rio. https://platformglossary.info/open-identity/.
Author: Vittorio Bertola
An online identity is a collection of personal information about a person, associated with credentials that allow the owner of the identity to control the information and to assert their identity towards other parties over the Internet. The identity may represent an actual person (real-world identity), a fictitious person (pseudonymous identity), or an unknown set of one or more persons (anonymous identity). Frameworks for the management of online identities usually perform some or all of these functions:
- Authentication, i.e., the establishment and verification of credentials (passwords, biometric data etc.) to ensure that only the legitimate owner of the identity can use it;
- Authorisation, i.e., the request and release of permission for an authenticated identity to access a specific resource or service;
- Signing, i.e., the creation of cryptographic attestations of a certain assertion by the owner of the identity;
- Information management, i.e., the entering, storing and controlled distribution of the personal information that the owner associates with the identity.
An open identity is an online identity provided and managed through the use of open, federated standards that allow multiple identity providers to coexist, including the possibility for the identity owner to switch from a provider to another or to self-manage their identity without recurring to an external identity provider (this latter case is called self-sovereign identity). Currently, the most common identity frameworks are those provided by Internet platforms, especially by Google, Facebook, and Apple. These systems are widely used for registration and login into online websites and services; while they are based on an open protocol (OpenID Connect), they are not open, as the user cannot choose a different provider; e.g., a Google identity can only be used within the Google ecosystem, and no other providers can supply identities for that ecosystem. The European Union, through the eIDAS Regulation (EU Regulation, 2014)1, has established an identity framework that federates national identity systems and can be used for logging in to online services, typically for real-world identities and public administration websites. The openness of eIDAS implementations varies across European countries.
- European Commission. (2014). Document 32014R0910 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG