The Government has just published a ministerial order that regulates the issuance of qualified electronic certificates remotely by video call, such as the electronic signature necessary to carry out procedures with the State Administration online. The legal text, available in the Official State Gazette (BOE), specifies, among other things, the conditions and technical requirements for verify identity remotely and prevent impersonation attempts using technologies like deepfakes.
Among the technical measures included to prevent identity theft, the text indicates that the identification tool used must ensure that the process is executed live by the certificate applicant, and in one go, in such a way that pre-recorded video editing is avoided. The audiovisual file can only be recorded by the company or Administration that issues the certificate in order to be able to review it later.
The tool must also allow the agent to use it, both live and a posteriori, analyze the biometric characteristics of the applicant and its correspondence with the information included in the identity document.
The biometric facial comparison system must have been evaluated by the Face Recognition Vendor Test of the National Institute of Standards and Technology of the United States and have obtained the VISABORDER category, with which the high security of the recognition system is guaranteed, and having obtained a false positive rate equal to or less than 5%, following the instructions of Annex F.11 of the Taxonomy of products of the Information Technology and Communications Service of the National Cryptological Center.
The tool must also be able to ensure that the retransmission and the entire identification process are being carried out from the same device and will have to include procedural measures that can reveal possible manipulations with the introduction of a unique, random, unpredictable and single-use code generated at the moment and sent to the applicant.
In addition to biometric recognition, identity verification and tampering detection functions, such as video editing, the order states that human intervention will be essential in each of these processes, either at the same time by video call with the applicant or later, through the operator’s review of the video recorded by the system of the entity that will issue the certificate.
The companies that carry out these tasks will have to ensure specific training of operators in identification methods, in common counterfeiting techniques and in identity verification tools. Likewise, they are obliged to renew their training with periodic courses, at least once a year.
These operators will have the obligation to interrupt or invalidate the personal identification process if there are indications of the use of prerecorded files, that more than one device has been used for the transmission of videos or that the video call of the requestor has not been made at one time and in real time. Likewise, it will not be valid if there are suspicions that the person requesting the certificate acts under duress or intimidation of third parties.
The legal text does not only refer to the video. It also indicates that operators must check the validity and authenticity of the official documents presented, such as the DNI, to obtain the certificate, and invalidate the process if there are indications that these have been modified. Equally, The request can be considered void if the quality of the sound or the image prevents verifying the identity of the person, the authenticity of the documentation or the correspondence between its owner and the applicant.
Periodic checks and installations
The providers of these services will have to subject to periodic risk analysis, at least once a year, or whenever there is a change in the system, in organizational procedures, in the state of technology or in any aspect that could jeopardize the identity verification process. In such a way that they certify that the system is up to date and that they have reduced the risk of fraud to a minimum.
Regarding facilities, companies and public bodies that issue qualified electronic certificates remotely by video call must ensure that the servers and equipment used for the verification process are in protected rooms with access restricted to authorized personnel.
In these facilities, the service providers They are obliged to keep the video and documentation of the verification process for a minimum period of 15 years, something that the operators will have to have informed the applicants about. The order states that this file will have to comply with the Organic Law on Data Protection.
The order will come into force, and therefore it will be mandatory, the day after its publication in the BOE, that is, from tomorrow.
Consolidation of extraordinary measures
This ministerial order consolidates an identity verification procedure for the issuance of qualified electronic certificates that It began to be carried out as a result of the declaration of the state of alarm due to the coronavirus pandemic. Before, to obtain this type of certificate it was inexcusable to go to a Registry Office of the National Mint and Stamp Factory.
A procedure that it was incompatible with confinement and safety distance measures issued by the Government in March 2020, for which the Executive issued an extraordinary provision, through the Royal Decree-Law by which urgent complementary measures were adopted in the social and economic sphere to face COVID-19, so that these certificates could be issued by video call.
Thus, the eleventh additional provision of the aforementioned Royal Decree-Law established that “the supervisory body accept those methods of identification by videoconference based on authorized procedures by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses or recognized for the issuance of qualified certificates by another Member State of the European Union ”.
However, this extraordinary measure also specified that the certificates thus sent they would cease to be valid once the alarm state had ended, a circumstance that took place on May 9, and that its use would be limited exclusively to relations between the owner and public administrations.
So the order posted today consolidates the option of requesting qualified electronic certificates remotely by video call under normal circumstances and extends it to the private sector.