On August 7, 2019, the matter was discussed in a public hearing, which was attended by parliamentarians and representatives of the Digital Cerification Service of the Federal Data Processing Service (Serpro), of the National Institute of Information Technology ( ITI), of the National Association of Digital Certification (ANCD), of the Federal Revenue of Brazil, among other invited organizations. There is a consensus in the Brazilian market the need for modern legislation that provides legal certainty for those who use digital certification.
To analyze the perspectives of the Digital Certificate in Brazil, the ABES Portal team interviewed Paulo Milliet Roque, vice president of ABES and director of the digital certification company DigiForte.
In this era of process transformation, simplification and reduction of face-to-face procedures, the certificate is a mechanism that has been used, increasingly, to ensure the identity of individuals when signing documents and accessing services, in order to provide legal and ensure security in online transactions. Shall we follow the interview?
How do you evaluate the return of the debate regarding Bill 7316/02?
It's very important. I agree with the need for stronger digital certification and its popularization. It is essential to have a digital identification system for Brazilians with high security and technology that allows the risk of fraud to be reduced. Today, we have achieved this with the current digital certification system, but we know that there is room for improvement. Users complain about the inconvenience of traveling to the certifying unit, however this step is essential to check the identity of the certificate acquirer in person, that is, for the step I call “face-badge” checking. The second complaint is the cost of a digital certificate, which can be between R$ 120.00 and R$ 400.00, depending on the period of validity, whether for individuals or legal entities and the support - magnetic card, token or software. We have already had an average price decrease of about 20% in the last year and I believe in further reduction in the short term ".
Why is a digital certificate valid?
In Brazil, the validity of certificates varies from 1 to 5 years by legal determination, always with the objective of preventing fraud. As encryption progresses periodically, there is no point in keeping technologically outdated certificates on the market, which creates risks of attacks, especially with the advancement of computers' processing power. That's why you can't make a digital certificate for life. In addition, there is a risk of misuse, of bad faith, as, for example, when a person dies and someone who has the password continues to use the certificate. Thus, the validity period provides more protection against technological advances and against fraud.
Is there a substitute for the digital certificate?
At the same level of security, it doesn't exist. There are companies and entities that defend identity verification systems in transactions based only on login and password, or verification by email and cell phone number, but we have many examples of security breaches with these two data alone, due to the invasions database. A well-known case worldwide happened with Yahoo in 2012, when almost half a million usernames and unencrypted passwords were stolen. That number just goes up. Sky had 32 million leaked accounts in 2018. The website https://haveibeenpwned.com records 8 BILLION stolen logins and passwords. Check your email address here. With password and email, in practice, people are not very protected. They are not sufficient to protect data in systems that need a high level of protection and access control, such as that of the FGTS or the IRS. When it was just these two data for citizen authentication, the occurrence of fraud was much greater. The main problem in the digital world and beyond is: how to avoid fraud? One of the ways to protect against these occurrences would be two-factor authentication, which is also highly recommended, even though it takes a little more work on the implementation.
How do you see the use of the electronic signature?
The electronic signature (without digital certificate) also does not guarantee 100% the identity of those involved in the transactions. It is fragile for signing contracts, for example, as it is based on a person's email. Nowadays, we know that it is easy to create an email, buy a chip and a disposable cell phone to forge the identity of a third party, anyone. It is even feasible to be used for low value transactions, but which I do not recommend for operations of greater value or that, on a daily basis, may lead to litigation and sanctions. Compared with other markets, the reality in Brazil is quite advanced in the options of identity verification. The RG, the CNH, despite not being a document that all Brazilians have, and the CPF have established themselves as important data for identifying people. We will evolve further when we have the National Identification Document (DNI). These documents are the ones used for the issuance of the digital certificate and must be presented in person.
The draft law Law 7316/02 was stalled in the National Congress. What is already being done to popularize the use of the digital certificate and modernize its rules?
ITI has been working to promote advances in digital certification and its CEO, Marcelo Buz, has been doing important work to reduce the costs of certificates for individuals, with new rules that should come into force later this year, on Monday fortnight of October. Also in August, we started discussing how to facilitate the issuance of the digital certificate for legal entities. Paulo Uebel, Special Secretary for Debureaucratization, Management and Digital Government, of the Ministry of Economy, and his competent team, has also contributed to this effort to reduce costs and facilitate acquisition, without giving up security.
What are the new rules for issuing the digital certificate to individuals?
One of the new rules promotes simplification of service, because when the buyer presents a digital document, such as the digital CNH installed on his cell phone, or when the physical document can be verified in an official database, the issuance of digital certification can be performed only by the registrar. The need for verification by the verification agent will be required only in other cases.
In addition, it has been authorized that the custody of the physical dossiers of the documents submitted by the buyers be replaced by digital filing. Sending to the Registration Authorities and from these to the Certification Authorities should be done weekly, and no longer monthly. Other changes occurred in the accreditation of the Registration Authorities, but these are technical aspects that, however, will reduce several requirements for the provision of this service and, we hope, will help in reducing the value of the digital certificate charged to the customer.
EN 
PT 
