By: Héctor José García Santiago. Director of the Government and ICT Observatory of the Pontifical Xavierian University. Executive Chairman of Camerfirma Colombia.
On 2 May of this year, Decree 620 was issued, which regulates the transversal aspects of Digital Government Policy: digital citizens’ services. These comprise the services of digital authentication, citizen folders and interoperability, and also allow for the digital ID cards and biometrics envisaged by the National Registry Office, within the framework of the authentication model.
The digital authentication model is part of the Digital Government Policy and its main pillars are security, unity and wide scope. Digital users expect this model to be highly secure and prevent the loss and improper use of sensitive data. Likewise, they also want the authentication model to be united and integrated, to make their lives easier, and avoid them having to fill in bothersome questionnaires and enter multiple passwords. For this purpose, Decree 620 lays down the possibility, already included in Decree 1413/2017, for use of electronic and digital signatures, as well as digital IDs and facial biometrics through consulting the facial biometric database of the Registry Office.
Decree 620/2020 reaffirms the existence of basic and special digital services for citizens. In the first group, we find those considered necessary for the digital transformation of companies: 1) Interoperability, 2) Digital Authentication and 3) Citizen Folder. We will analyse each of these services in future editions, starting today with Digital Authentication.
Regarding the digital authentication service, the following conditions have been established:
- Definition: This is the procedure that enables the verification of a person’s digital attributes when they carry out procedures and services by digital means through the use of authentication methods. In addition, it provides certainty regarding the person signing a data message, or the person to whom such a message is attributed under the terms of Law 527/1999 and its regulatory standards, and without prejudice to notarial authentication.
- Minimum conditions for the digital authentication service. For the provision of the digital authentication service, the provisions on electronic and digital signatures included in Law 527/1999 and its regulatory standards, or the rules that modify, repeal or subrogate it.
- Inclusive accessibility: The digital citizens’ services offered will include the necessary features to make them available to the entire population in general, particularly to those in a situation of disability or vulnerability.
- Privacy by design and by default: Privacy and security must be a part of the design, architecture and default configuration of the information management process and of the infrastructure supporting it.
- Security, privacy and restricted circulation of information: All user information that is generated, stored, transmitted or processed within the framework of digital citizens’ services must be protected and kept under the strictest digital security and privacy schemes with a view to ensuring the authenticity, integrity, availability, confidentiality, accessibility and restricted circulation of information.
- Cost-free: User access to basic digital citizens’ services will be free of charge.
We must get past having to use different codes and passwords to access systems, One-Time Passwords (OTP) should prevail for signing documents. It is imperative that we stop overwhelming citizens with passwords. At present, each citizen has between 2 and 8 passwords to access different systems. According to a Deloitte study, almost 90% of user passwords worldwide are vulnerable to cyber-crime attacks. Facial biometrics combined with digital IDs, electronic signatures and digital signatures, are the key to the digital authentication of the future which has now become our present.
The use of multiple authentication features is the solution to online identification. Something that you have, you know and you are. The combination of these three factors will guarantee highly secure document authentication and formatting. However, the databases consulted must be trustworthy, which is why the most suitable and reliable public databases to be used for this purpose are undoubtedly those of the Registry Office.
The model indicates that digital or electronic signatures are those that, when used by their owner, attribute the authorship of a data message. In parallel, the digital ID and facial biometrics option is enabled. In this way, the authentication methods available to Colombians within the framework of the digital citizens’ services model are the following:
- Electronic signature.
- Certified electronic signature.
- Digital signatures.
- Digital ID card.
- Facial biometrics, Registry Office database.
Changes introduced by Decree 620:
- It is established that the AND (National Digital Agency) is not only the articulator of the model, but also a provider of basic and special digital citizens’ services. It should be stated that this change is not ideal, insofar as one cannot be a judge and a party. The model of Decree 1413 set forth a model of free competition where it was specified that public monopolies were problematic and that basic digital citizens’ services should be provided by third-party experts authorised by the National Digital Agency under circumstances of free competition. As established by Decree 620, the AND competes with private entities, and this does not seem balanced or consistent.
- It is established that the AND is the exclusive operator of the interoperability service. The aforementioned statement also applies to this, and it should also be noted that although the Government manages the interoperability of the shared office connecting the state bodies, each body must have its own interoperability scheme that allows it to connect to the shared office, the ‘.gov.co’.
- Shared electronic office. This will be the State’s Single Portal through which citizens will access the contents, processes, services and procedures available from the authorities. Law 1413/2011, in article 60, provides that all authorities must have an electronic address through which they offer their services. Decree 620 introduces an important change by establishing ‘gov.co’, as the shared office of the Colombian State.
- Citizen Folder: The folder introduces a significant change as soon as it ceases to be a repository of information and becomes a front-end framework (graphical interface) that enables citizens to access their information stored in state agencies.
- Digital Authentication: In terms of digital authentication, there are essentially no significant changes. The digital authentication in Decree 1413 rested on trusted third parties, digital ID cards and facial biometrics, through consultation of the Registry Office’s databases. Decree 620 opens the door to “simple” electronic signatures, which can be provided by anyone who is not necessarily a trusted third party, but also involves digital signatures and certified electronic signatures from trusted third parties. Therefore, use of one method or another will depend on the risk analysis carried out by each organisation, where security will undoubtedly prevail.
To conclude, the recent claim for unconstitutionality against Decree 620 by the Registry Office stems from a previous non-compliance. However, we cannot understand why, for so long, there has not been a complete understanding between this body and the Government in order to move harmoniously towards a digital State, where the digital authentication service must involve the union and integration of the methods of electronic signature, digital signature, facial biometrics and digital ID cards.
The combination of three authentication factors is key to having a uniform and highly secure method, following the European eIDAS model that is our regulatory and technological benchmark. In this case, the AND must not act as an authentication service provider, which is the remit of trusted third parties or digital certification entities and the Registry Office, who must cooperate harmoniously with the AND and the MinTic (Ministry of Technologies). Let us hope that the country’s path for digital citizens’ services and digital policy is quickly restored.