No More Entering Your ID Number for Identity Verification? | National Online Identity Authentication Public Service Management Measures (Draft for Comments) Released
An analysis of China's proposed Net ID and Net Certificate system for online identity verification, explaining how the system works, its impact on game companies' real-name authentication processes, and the privacy advantages and procedural concerns it raises.
On July 26, the Ministry of Public Security and the Cyberspace Administration of China jointly issued an announcement seeking public comments on the National Online Identity Authentication Public Service Management Measures (Draft for Comments).
The main purpose of the draft is:
To uniformly issue “Net IDs” and “Net Certificates” to the public, providing real identity registration and verification services based on legal ID documents, aiming to facilitate public use, protect personal information security, and advance the strategy of a trusted online identity.
After the implementation of these Measures, when performing real-name authentication for games, users may no longer need to enter their ID card information and only need to provide their Net ID and Net Certificate.
*This article reflects only the author’s personal views and does not constitute any legal advice or legal opinion.
I. What Are “Net IDs” and “Net Certificates”?
The term “Net ID” as used in these Measures refers to an online identity symbol that corresponds one-to-one with a natural person’s identity information, consisting of letters and numbers without containing plaintext identity information;
“Net Certificate” refers to an online identity authentication credential that carries the Net ID and the non-plaintext identity information of a natural person.
Net IDs and Net Certificates can be used for non-plaintext registration and verification of natural persons’ real identity information in internet services and related departments, industry management, and services.
If we compare the previous verification method to an account (name) + password (ID number)
then this new Net ID/Net Certificate system is, simply put, an Access Token.
Personal identity information is used to generate a string of characters without plaintext information (customization may also be possible), and this string is then used to verify identity, achieving the purpose of privacy protection.
Third-party platforms that obtain the Net ID can only see this meaningless string of characters, while the verification work is handled by the official public service platform. Even if the third-party platform is hacked, user ID card information cannot be leaked; the third-party platform and its employees cannot learn the user’s true identity or sell user data.
II. Where to Apply?
The term “National Online Identity Authentication Public Service” (hereinafter “Public Service”) as used in these Measures refers to the state, based on legal ID document information and relying on a nationally unified online identity authentication public service platform (hereinafter “Public Service Platform”), providing services for natural persons to apply for Net IDs and Net Certificates and to conduct identity verification.
Currently, the Measures do not include application guidelines. Considering that this is only a draft for comments, specific application channels and methods may be announced after the Measures are formally implemented.
III. Who Can Apply?
Natural persons holding valid legal ID documents may voluntarily apply for Net IDs and Net Certificates.
For minors, the Measures include special provisions:
Natural persons under the age of 14 need to obtain consent from their parents or other guardians, with the guardian applying on their behalf.
Natural persons between the ages of 14 and 18 need to apply under the supervision of their parents or other guardians.
In addition, the Measures also stipulate that natural persons under the age of 14 must first obtain the consent of their parents or other guardians before using Net IDs and Net Certificates for registration and verification of real identity information.
IV. What Should Game Companies Do?
At this stage, there is not much urgent work to do.
First, using Net IDs and Net Certificates for verification is currently not mandatory:
Internet platforms are encouraged to access the Public Service on a voluntary basis to support users in using Net IDs and Net Certificates for registration and verification of their real identity information, and to fulfill their obligations to protect personal information and verify users’ real identity information in accordance with the law.
After an internet platform accesses the Public Service, if a user chooses to use Net IDs and Net Certificates for registration and verification of real identity information and passes verification, the internet platform shall not require the user to provide additional plaintext identity information, unless otherwise provided by laws or administrative regulations or with the user’s consent.
Internet platforms shall ensure that users using Net IDs and Net Certificates enjoy the same services as other users.
Game companies can still insist on using ID card verification for real-name authentication.
Second, since there is currently no SDK or API example, writing a verification system in advance is not very practical.
You can start with process design and UI design, such as designing the verification process, real-name result display pages, etc. (if the old page displays results with a masked ID card, it needs to be redesigned).
V. Advantages and Concerns
Advantages
For users, the core advantage of using Net IDs and Net Certificates is that they do not directly expose plaintext real-name information during data processing, significantly reducing the risk of direct leakage of sensitive personal information and greatly enhancing the level of privacy protection. Compared to using ID card numbers, Net IDs and Net Certificates are more difficult to directly obtain or view, effectively reducing the possibility of identity theft registration (e.g., minors using their parents’ identity information to register accounts) (provided the platform prohibits direct ID card verification).
For businesses, adopting the Net ID and Net Certificate system also brings many benefits. Same as for users, it significantly reduces the risk of information leakage. Even in the event of a hacker attack, only the Net IDs and Net Certificates without plaintext identity information are exposed, making it difficult to constitute “leakage of personal information,” helping companies avoid compliance risks under laws such as the Data Security Law and the Personal Information Protection Law.
Backend programmers no longer need to scratch their heads over how to anonymize ID card information.
At the same time, it can also provide a basis for refuting malicious refunds by users claiming “my child stole my identity information.”
Concerns
Although the Measures aim to strengthen personal information protection, there are still some issues worth our attention, even potential risks.
As far as the Measures are concerned, they mainly solve the problem of direct exposure of personal information at the platform level, but they do not demonstrate strong control over registration risks such as identity theft.
Although Net IDs and Net Certificates may reduce exposure of identity information, given their uniqueness, when a Net ID or Net Certificate is leaked, identity theft cannot be completely prevented. If someone obtains another person’s Net ID and Net Certificate, they could still register accounts on various platforms by impersonating that identity.
Second, the implementation of the Measures may increase the complexity of legal proceedings. When a dispute arises, the use of non-plaintext Net IDs and Net Certificates instead of direct identity information may lead to a more cumbersome and time-consuming rights protection process.
In the past, when a user’s rights were infringed, they could first sue the platform to obtain the infringer’s identity information for subsequent litigation.
Once the Net ID/Net Certificate system takes effect, this process will become more complex: the aggrieved user would still need to sue the platform to obtain the infringer’s Net ID and Net Certificate, then use these to go to the Public Service Platform to obtain the user’s real identity information, and only then could litigation formally begin.
This process significantly increases the workload and time cost of rights protection, potentially reducing the efficiency and motivation of the aggrieved party. For some small or time-sensitive disputes, such complex procedures may make the cost of rights protection exceed the expected benefits, thereby affecting the effective protection of user rights. At the same time, delegating the task of obtaining real identity information to the Public Service Platform, considering the current number of online infringement cases nationwide, may further prolong litigation time.
Setting variable Net IDs may help reduce the risk of identity theft, but it would further increase the difficulty and workload of obtaining real identities.
The specifics will depend on whether supporting detailed rules are provided when the Measures are implemented.
VI. Final Thoughts
In my personal opinion,
instead of creating another Access Token, it would be more convenient and practical to directly redirect to the official app for facial recognition real-name verification, or to use an Authenticator for dynamic PIN verification.
At least it would help reduce the risk of identity theft for registration.
