The result of a drunkenness for technology and a choice in line with the processes of compression of the prerogatives of the State and citizens in favor of BigTech, SPID and digital signature should be cancelled, at least in their current form.

The controversy raised by the government’s announcement that it wants to cancel the (the way it is currently managed) the public digital identity system does not take into account some “negligible” legal aspects that concern the very essence of the functioning of a liberal and democratic state : the attestation of identity the power of identification. These aspects are closely connected to the issue of freedom in expressing individual will and therefore also to the regulatory choices regarding digital signatures. It is neither politically acceptable nor desirable to transfer these essential functions to the private sector.

Because SPID must be deleted

Simplifying to the extreme, from a legal point of view, “identity” means “who I am” while “identification” means “prove that I am who I say I am”. The difference may appear subtle, but it is substantial. Legal identity is acquired with the registration of the newborn in the registry office, as the final act of a continuous control process that begins with the birth, follows with the identification of the child with a bracelet and continues with the birth assistance certificate . This continuous series of events guarantees, in principle, the truthfulness of the parents’ declaration on the identity of the child and therefore the attribution to the child of a unique identity juridically relevant to all effects of the law.

Identification, on the other hand, passes first of all through the attribution by the State of an identity document (identity card, passport, firearms licence). The identity document is a “shortcut” that allows public authorities to verify the correspondence between declared identity and legal identity. Anyone who has ever stipulated a deed before a notary will have heard him begin with the classic phrase “there are gentlemen tizio and caio, of whose personal identity I, the notary, am certain”. However, as taught by the Consolidated text of public safety laws and the Criminal Procedure Code, identification is a more extensive concept because in some cases —typically, precisely the absence of identity documents— recourse to anthropometric methods is allowed (fingerprints, dental arch) or genetic profiling as in the case of the national DNA database. It is clear, therefore, that identity and identification are tasks that can only and exclusively be performed by the State and that it is not — or would not be — conceivable to delegate or involve private subjects in a process of this kind. It is true that, for example, in the field of anti-money laundering banks, Poste Italiane and professionals are required to verify the customer’s identity, but this happens in the context of an individual relationship that produces effects in a precise and restricted context.

Conversely, in the case of SPID, private subjects become the guarantors of personal identification with legal effects identical to those obtained with the exhibition of an identity document issued by the State. Quite simply, this shouldn’t be possible because it doesn’t mean resorting to the support of the private sector to perform a public function, but transferring it entirely. Therefore, if you cancel not the concept of remote identification but only the tool with which it is achieved, there is nothing strange. Indeed, the anomaly is precisely having initially even conceived the idea of ​​realizing the SPID as it was built. Therefore, the IT-enhanced identity card is welcome: the CIE, in fact.

Why delete the digital signature

A similar issue, and perhaps even more serious, concerns the digital signature and the sensational case of the choice of the French authorities to revoke, starting from 1 January 2023, the usability of two smart-cards causing the risk that millions of documents lose their value legal due to an incorrect interpretation of the rules established by the Digital Administration Code. The IT security certification body (OCSI) of the Italian national cybersecurity agency has tried to remedy the improvident choice of the transalpine authorities by communicating to the European Commission that in Italy the two French smart-cards are considered valid (but then there question should be asked whether the concerns initially expressed about the safety of the devices in question were founded).

However, if the intervention of OCSI resolves the problem immediately, it does not change the system defects of the legislation on digital signatures which, once again, depend on the political choice made about twenty years ago to transfer to private individuals not only the power of identification, but also that of attributing legal value to individual manifestations of will. Translated from legalese into Italian, this means that we have moved from a regime in which the signature only serves to “link” a declaration of will to the subject expressing it, to a situation whereby if whoever decides that the instrument for signing it is no longer good, the will of the subject risks becoming irrelevant.

Let’s take an example: I stipulate a rental contract and sign it with a very traditional pen on an equally unmodern sheet of paper. The signature fades or the document degrades, but the will of the parties remains valid: the contract intended as an agreement between the parties remains in force. If anything, it will be a question of proving its content if a dispute arises between the landlord and the tenant, but that is another matter. The “old” Civil Code establishes very modern and liberal rules: in the vast majority of cases, the parties regulate their relations as they wish, even with smoke signals. In some cases, a physical support is needed in which to “crystallize” the agreement, in others (the purchase of a house, for example) the presence of a notary is also needed.

Now, we stipulate the same contract with the digital signature using the signature devices fully managed by the private certifiers. The first thing that catches the eye is that digital signature requires a computer, software, a signature device and an internet connection. Therefore, the ability to manage one’s rights is conditioned by the availability (financial, even before material) of technological tools controlled by third parties. As in the case of the push towards the obligation to use electronic payment instruments (instead of creating a legal tender electronic currency), this means depriving a person of the freedom to exercise his individual rights as guaranteed by law, placing him “under ” for each individual act, and moreover by entrusting the protection to non-state entities.

In summary, we have gone from a system in which the pivot is the will of the person, to a system in which the will of the person is subject to the decisions of those who control the technological infrastructures that allow it to be manifested. This condition, already serious in itself, would get worse if the bizarre interpretation of the law that has been around for a while were to affirm itself according to which if a digital certificate used for signing expires, the signature loses its value retroactively. In fact, we would have arrived at the absurdity that the instrument (the signature device) conditions the exercise of a right. This would be equivalent to authorizing the use of self-erasing ink by law and establishing that once the signature has disappeared, even the document to which it was affixed is no longer worth anything. The Digital Administration Code does not say such a thing, but this has not prevented the spread of a narrative based, for the umpteenth time, on a precautionary principle built on the irrational fascination with technology which today leads us to speak of the “right of metaverse”, of “laws of robotics” and “regulation of AI”.

Overcome SPID and digital signature

Instead of persisting in keeping alive an outdated tool, the digital signature, we should ask ourselves the problem of how to get rid of it as quickly as possible to make room for what we have available today thanks to the now ubiquitous presence of public and private services that work using databases.

Pen and paper have long been the most effective technological tools for documenting the manifestation of will and for attributing it to an individual. The depersonalization of relationships (in the sense of concluding contracts through the heirs of vending machines — the platforms) and their spatio-temporal decontextualization (in the sense of concluding agreements at a distance and asynchronously) make it necessary to overcome the very concept of ” document” and “signature”.

More and more often, from an e-commerce purchase to the ordering of a payment to the interaction with public services, the “document” and the “signature” do not exist or are only an epiphenomenon —a web page confirming the transaction or, at best, a confirmation email. In fact, everything boils down to filling in database fields whose records are phenomenally presented in the form of a document, but which are not. In substantial terms, therefore, what matters is to identify the subject with full legal value (and this is taken care of by the CIE) and be sure that the data it enters into the shift system are correct and treated correctly (and this is taken care of by the regulation on protection of personal data which, with all due respect to those who imagine it “to protect privacy”, requires guaranteeing the reliability and integrity of data).

In this ecosystem, already operational now, the whole theoretical construct based on the concept of “document”, “written form” and “private deed” that the legislation on digital signature, conceived with an eye towards the last century, has lost its meaning tried grossly to apply. If, therefore, in addition to bringing individual identification back into the fold of public control, the concept of “IT document” and all that it implies were eliminated at the root, another small step could actually be taken towards greater levels of efficiency.

There remains, however, a knot to untie but which, in all likelihood, will remain intact: the cumbersome presence of information technologies which become the indispensable tool for the exercise of any right. On the one hand, it is increasingly unacceptable that they are in the hands of private entities. On the other hand, it is dramatically urgent that the State prevent the progressive subjugation of citizens to electronic slavery.